This note documents detection patterns related to PsExec within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | High | Network logon using administrative credentials. |
| Security | 4672 | Special privileges assigned | High | Admin privileges used during remote execution. |
| Security | 7045 | Service installed | Critical | PsExec installs a temporary service (often PSEXESVC). |
| Security | 5140 | Network share accessed | High | ADMIN$ share accessed to drop service binary. |
| Sysmon | 1 | Process creation | High | cmd.exe spawned from service context. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| PSEXESVC service creation | Temporary service installed | Critical | Classic PsExec artifact. |
| ADMIN$ share write | Binary dropped remotely | High | Used for service payload. |
| Service created then removed | Short-lived service execution | High | Common PsExec behavior. |
Common Tools
| Tool | Usage |
|---|---|
| Sysinternals PsExec | Native remote command execution tool. |
| Impacket psexec.py | Python implementation used in attacks. |
| CrackMapExec | Automates PsExec-style execution. |
| Metasploit psexec modules | Used for lateral movement. |
Relevant Artifacts
- Security logs (4624, 4672, 7045)
- Service control manager logs
- ADMIN$ share access logs
- Sysmon process creation
- EDR telemetry
MITRE ATT&CK References
- T1021.002 SMB/Windows Admin Shares
- T1569.002 Service Execution
Decision Tree
- Detect service installation event.
- Identify service name (e.g., PSEXESVC).
- Identify source host initiating connection.
- Inspect spawned command process.
- Determine lateral movement scope.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 7045
| where ServiceName contains "PSEXESVC"
EQL
process where event.code == "7045"
Sigma
title: PsExec Service Installation
logsource:
product: windows
service: security
detection:
selection:
EventID: 7045
ServiceName|contains: PSEXESVC
condition: selection
level: high
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Admin share control | Restrict ADMIN$ usage | High | Limits remote execution. |
| Service monitoring | Alert on service installs | High | Detects lateral movement. |
| Credential hygiene | Limit admin reuse | Critical | Prevents propagation. |