The PSEXEC Remote Execution File Artefact detects adversaries using PsExec to execute commands remotely by creating a key file on the target system, which is a common indicator of lateral movement and command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate the risk of persistent, stealthy attacks.
Detection Rule
title: PSEXEC Remote Execution File Artefact
id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
status: test
description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
references:
- https://aboutdfir.com/the-key-to-identify-psexec/
- https://twitter.com/davisrichardg/status/1616518800584704028
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-21
modified: 2023-02-23
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1136.002
- attack.t1543.003
- attack.t1570
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\PSEXEC-'
TargetFilename|endswith: '.key'
condition: selection
falsepositives:
- Unlikely
level: high
imFileEvent
| where TargetFileName startswith "C:\\Windows\\PSEXEC-" and TargetFileName endswith ".key"Scenario: Scheduled Job Using PsExec for Patch Management
Description: A system administrator schedules a PowerShell script using PsExec to apply patches to remote servers during off-peak hours.
Filter/Exclusion: Check for the presence of a known patch management tool (e.g., Microsoft Update, SCCM) in the command line or script path. Exclude files created in the C:\Windows\Temp or C:\Windows\sysnative directories.
Scenario: Administrative Task Using PsExec for Remote Debugging
Description: A developer uses PsExec to remotely debug an application on a server, which creates the PSEXEC key file as part of the execution process.
Filter/Exclusion: Filter by user account (e.g., DOMAIN\DevTeam) and check for known debugging tools (e.g., Visual Studio, WinDbg) in the command line. Exclude files created in a dedicated debug directory (e.g., C:\DebugLogs).
Scenario: Legitimate Use of PsExec in a Security Toolchain
Description: A security tool (e.g., Cobalt Strike, Metasploit) uses PsExec as part of its payload delivery or execution process.
Filter/Exclusion: Check for the presence of known security tools in the command line or process tree. Exclude files created in a known security operations directory (e.g., C:\SOC\Tools).
Scenario: PsExec Used for System Maintenance via Group Policy
Description: A group policy object (GPO) is configured to run a maintenance script using PsExec on all domain-joined machines.
Filter/Exclusion: Filter by the System or Local System account, and check for the presence of GPO-related artifacts (e.g., C:\Windows\System32\GroupPolicy). Exclude files created in the `