The detection of a default PsExec service filename indicates potential adversary installation and execution of PsExec for lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of compromise and mitigate lateral movement risks.
Detection Rule
title: PsExec Service File Creation
id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: test
description: Detects default PsExec service filename which indicates PsExec service installation and execution
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2022-10-26
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\PSEXESVC.exe'
condition: selection
falsepositives:
- Unknown
level: low
imFileEvent
| where TargetFileName endswith "\\PSEXESVC.exe"Scenario: Legitimate PsExec Service Creation via Scheduled Task
Description: An admin creates a scheduled task using PsExec to run a maintenance script on a regular basis.
Filter/Exclusion: Check for the presence of a scheduled task with a known name (e.g., WeeklyMaintenance) and verify the script path is within a trusted directory (e.g., C:\Scripts\).
Scenario: PsExec Used for Remote Administration
Description: A system administrator uses PsExec to remotely execute a PowerShell script on a target machine for patching or configuration.
Filter/Exclusion: Filter by the source IP address of the admin’s workstation and check for the presence of a known admin tool (e.g., PowerShell.exe) in the command line.
Scenario: PsExec Service Created by a Third-Party Tool
Description: A legitimate third-party tool (e.g., Microsoft Deployment Toolkit) uses PsExec internally to deploy software across a domain.
Filter/Exclusion: Check for the presence of the third-party tool’s installation directory (e.g., C:\MDT\) and verify the service is created during a known deployment phase.
Scenario: PsExec Service Created by a System Update or Patching Tool
Description: A patching tool (e.g., Microsoft Endpoint Configuration Manager) uses PsExec to execute updates on remote machines.
Filter/Exclusion: Filter by the patching tool’s service account and check for the presence of the patching tool’s installation directory (e.g., C:\Program Files\Microsoft Endpoint Configuration Manager\).
Scenario: PsExec Service Created for Debugging or Troubleshooting
Description: A developer or support engineer creates a PsExec service temporarily to debug an application or troubleshoot an issue.
Filter/Exclusion: Check for the