Skip to content

PsExec.exe IOCs and Detection

PsExec.exe is a tool commonly used by system administrators, penetration testers, and threat actors. It is important to understand what indicators a tool may leave behind before using on a Red Team engagement.

This document highlights key IOCs generated when the SysInternals version of PsExec SysInternals PsExecis used. This is just only procedure of a larger set of techiques. Most variations of this technique share similar IOCs.

MITRE TTP

MITRE Technique T1035

MITRE TTP
Tatic Execution
Technique Service Execution
Procedure Use PsExec.exe to execute commands on a remote Windows system

Category

Command Execution

Description

Executes a command on a remote host.

Example of Presumed Tool Use During an Attack

The tool is used to execute a remote command on hosts and servers in a domain.

Tool Operation Overview

Item Description
OS Windows
Belongs to Domain Not required
Rights Standard User / Administrator
Communication Protocol - 88/tcp (when executing in a domain environment) - 135/tcp - 445/tcp - Random High Port

Information Acquired from Log

Standard Settings

Source host - A registry value created when the PsExec License Agreement has been agreed to (registry). - Execution history (Prefetch)
Destination Host - The fact that the PSEXESVC service has been installed, started, and ended is recorded (system log). - Execution history (Prefetch)

Additional Settings

Source host - The fact that the PsExec process was executed and that connection was made to the destination via the network, as well as the command name and argument for a remotely executed command are recorded (audit policy, Sysmon).
Destination Host - The fact that PSEXESVC.exe was created and accessed, and that connection was made from the source via the network, as well as the command name and argument for a remotely executed command are recorded (audit policy, Sysmon).
Packet Capture - Transmission of PSEXESVC and its output file (-stdin, -stdout, -stderr) with SMB2.

Evidence That Can Be Confirmed When Execution is Successful

Source Host The Event ID 4689 (A process has exited) indicating that psexec.exe was executed and has exited, was recorded in the event log "Security" with the execution result (return value) of "0x0".
Destination host In the Event ID: 7045 of the event log "System", the fact that the PSEXESVC service was installed is recorded.

Main Information Recorded at Execution

Source Host

Event Log

Log Event ID Task Category Event Details
Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create. CommandLine:__ Command line of the execution command ([Path to Executable File] [Execution Command]) UtcTime:__ Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (path to the executable file) User: Execute as user
Microsoft-Windows-Sysmon/Operationa 3 Network connection detected (rule: NetworkConnect) Network Connection Detected: Protocol: Protocol (tcp) Image: Path to the executable file (System) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT_AUTHORITY\SYSTEM) SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (destination ports: 135 and 445, high port)
Microsoft-Windows-Sysmon/Operationa 13 Registry value set (rule: RegistryEvent) Registry value set. Image: Path to the executable file (path to the tool) ProcessGuid/ProcessId: Process ID Details: Setting value written to the registry (DWORD: 0x00000001) TargetObject: Registry value at the write destination (\REGISTRY\USER[User SID]\SOFTWARE\Sysinternals\PsExec\EulaAccepted)
Security 4689 Process Termination A process has exited. Log Date and Time: Process terminated date and time (local time)Process Information > Exit Status:__ Process return value (0x0) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Process Name: Path to the executable file (path to the tool)

Prefetch

C:\Windows\Prefetch[Executable File Name of Tool]-[RANDOM].pf

Registry

Registry entry

Key: HKEY_USERS[User SID]\SOFTWARE\Sysinternals\PsExec\EulaAccepted Value: 0x00000001

Destination Host

Log Event ID Task Category Event Details
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access. Shared Information > Share Name: Share name (\*\ADMIN$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Shared Information > Share Path: Share path (\??\C:\Windows) Shared Information > Relative Target Name: Relative target name from the share path (PSEXESVC.exe) Access Request Information > Access: Requested privileges (including WriteData or AddFile, and AppendData)
Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create. ParentImage: Executable file of the parent process (C:\Windows\system32\services.exe) CommandLine: Command line of the execution command ParentCommandLine: Command line of the parent process (C:\Windows\system32\services.exe) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process IDUser: Execute as user (NT AUTHORITY\SYSTEM) Image: Path to the executable file (C:\Windows\PSEXESVC.exe)
System 7045 A service was installed in the system. A service was installed. Service start type: Operation of trigger that starts the service (demand start) Service account: Executing account (LocalSystem) Service type: Type of the service to be executed (user mode service) Service Name: Name displayed in the service list (PSEXESVC) Service File Name: Service executable file (%SystemRoot%\PSEXESVC.exe)
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access. Shared Information > Share Name: Share name (\*\IPC$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Shared Information > Relative Target Name: Relative target name from the share path (PSEXESVC-[Source Host Name]-[Source Process ID]-[stdin, stdout, stderr])
Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create. ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process (C:\Windows\PSEXESVC.exe) Image: Path to the executable file (Path to the executable file that was executed by PsExec) ParentCommandLine: Command line of the parent process (C:\Windows\PSEXESVC.exe)UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID
System 7036 Service Control Manager The [Service Name] service entered the [Status] state. Status: State after the transition (Stopped) Service Name: Target service name (PSEXESVC)
Security 4689 Process Termination A process has exited. Log Date and Time: Process terminated date and time (local time) Process Information > Exit Status: Process return value (0x0) Process Information > Process Name: Path to the executable file (C:\Windows\PSEXESVC.exe)
Security 4674 Sensitive Privilege Use An operation was attempted on a privileged object. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Name of the object to be processed (PSEXESVC) Object > Object Server: Service that executed the process (SC Manager) Requested operation > Privileges: Requested privilege (DELETE) Process Information > Process Name: Path to the executable file (C:\Windows\System32\services.exe) Object > Object Type: Type of the object to be processed (SERVICE OBJECT)
Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created. Image: Path to the executable file (C:\Windows\System32\svchost.exe) ProcessGuid/ProcessId: Process IDTarget Filename: Created file (C:\Windows\Prefetch\PSEXECSVC.EXE-[Random Number].pf)Creation UtcTime: File creation date and time (UTC)

USN Journal

File Name Process
PSEXESVC.exe FILE_CREATE
PSEXESVC.exe DATA_EXTEND+FILE_CREATE
PSEXESVC.exe CLOSE+DATA_EXTEND+FILE_CREATE
PSEXESVC.EXE-[RANDOM].pf FILE_CREATE
PSEXESVC.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE
PSEXESVC.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE
PSEXESVC.exe CLOSE+FILE_DELETE

Prefetch

C:\Windows\Prefetch\PSEXESVC.EXE-[RANDOM].pf

Interesting Events

References

JPCERT - Research Report Released: Detecting Lateral Movement through Tracking Event Logs https://blog.jpcert.or.jp/2017/06/1-ae0d.html

MITRE ATT&CK - Technique T1035 https://attack.mitre.org/wiki/Technique/T1035

JPCERT Tool Analysis Results https://jpcertcc.github.io/ToolAnalysisResultSheet/

JPCERT Tool Analysis Results - PsExec https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PsExec.htm