PsExec.exe

File Path: C:\SysinternalsSuite\PsExec.exe
Description: Execute processes remotely

Hashes

Type	Hash
MD5	`27304B246C7D5B4E149124D5F93C5B01`
SHA1	`E50D9E3BD91908E13A26B3E23EDEAF577FB3A095`
SHA256	`3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF`
SHA384	`ED52290FC2695D9781FC2F56D0EEA2F11995468F67C1CD07ED275AB56F074F69A3D647FF74FBA887CFBB2033E179839E`
SHA512	`BEC172A2F92A95796199CFC83F544A78685B52A94061CE0FFB46B265070EE0BCC018C4F548F56018BF3FF1E74952811B2AFB6DF79AB8D09F1EC73C9477AF636B`
SSDEEP	`3072:Yao79VuJ6titIi/H7ZUFgllxiBD+P5xWr3geNtdS+DlGttzhA9HY4ZUFxPkwlmlP:YaSq4TBWISSTgu7DlGtEC1xn/O5r4S`
IMP	`C1E59519B5E5D84AF07AFA6F5A8625F1`
PESHA1	`B477BCA07BC32E8863119973BC91F6A55F10405F`
PE256	`0C4FC597FA407059C94B3534F49BC090A11CCB4E4E6D969AF267E14D69359F71`

Runtime Data

Usage (stdout):

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

PsExec executes a program on a remote system, where remotely executed console
applications execute interactively.

Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-r servicename][-h][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]
     -a         Separate processors on which the application can run with
                commas where 1 is the lowest numbered CPU. For example,
                to run the application on CPU 2 and CPU 4, enter:
                "-a 2,4"
     -c         Copy the specified program to the remote system for
                execution. If you omit this option the application
                must be in the system path on the remote system.
     -d         Don't wait for process to terminate (non-interactive).
     -e         Does not load the specified account's profile.
     -f         Copy the specified program even if the file already
                exists on the remote system.
     -i         Run the program so that it interacts with the desktop of the
                specified session on the remote system. If no session is
                specified the process runs in the console session.
     -h         If the target system is Vista or higher, has the process
                run with the account's elevated token, if available.
     -l         Run process as limited user (strips the Administrators group
                and allows only privileges assigned to the Users group).
                On Windows Vista the process runs with Low Integrity.
     -n         Specifies timeout in seconds connecting to remote computers.
     -p         Specifies optional password for user name. If you omit this
                you will be prompted to enter a hidden password.
     -r         Specifies the name of the remote service to create or interact.
                with.
     -s         Run the remote process in the System account.
     -u         Specifies optional user name for login to remote
                computer.
     -v         Copy the specified file only if it has a higher version number
                or is newer on than the one on the remote system.
     -w         Set the working directory of the process (relative to
                remote computer).
     -x         Display the UI on the Winlogon secure desktop (local system
                only).
     -arm       Specifies the remote computer is of ARM architecture.
     -priority	Specifies -low, -belownormal, -abovenormal, -high or
                -realtime to run the process at a different priority. Use
                -background to run at low memory and I/O priority on Vista.
     computer   Direct PsExec to run the application on the remote
                computer or computers specified. If you omit the computer
                name PsExec runs the application on the local system, 
                and if you specify a wildcard (\\*), PsExec runs the
                command on all computers in the current domain.
     @file      PsExec will execute the command on each of the computers listed
                in the file.
     cmd	    Name of application to execute.
     arguments  Arguments to pass (note that file paths must be
                absolute paths on the target system).
     -accepteula This flag suppresses the display of the license dialog.
     -nobanner   Do not display the startup banner and copyright message.

You can enclose applications that have spaces in their name with
quotation marks e.g. psexec \\marklap "c:\long name app.exe".
Input is only passed to the remote system when you press the enter
key, and typing Ctrl-C terminates the remote process.

If you omit a user name the process will run in the context of your
account on the remote system, but will not have access to network
resources (because it is impersonating). Specify a valid user name
in the Domain\User syntax if the remote process requires access
to network resources or to run in a different account. Note that
the password and command is encrypted in transit to the remote system.

Error codes returned by PsExec are specific to the applications you
execute, not PsExec.

Usage (stderr):

Access is denied.

PsExec could not start C:\temp\strontic-xcyclopedia\notepad.exe:

Loaded Modules:

Path
C:\SysinternalsSuite\PsExec.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

Status: Signature verified.
Serial: 330000010A2C79AED7797BA6AC00010000010A
Thumbprint: 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: psexec.c
Product Name: Sysinternals PsExec
Company Name: Sysinternals - www.sysinternals.com
File Version: 2.2
Product Version: 2.2
Language: English (United States)
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/71
VirusTotal Link: https://www.virustotal.com/gui/file/3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef/detection/

Possible Misuse

The following table contains possible examples of PsExec.exe being misused. While PsExec.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	zeek_smb_converted_win_susp_psexec.yml	`title: Suspicious PsExec Execution - Zeek`	DRL 1.0
sigma	zeek_smb_converted_win_susp_psexec.yml	`description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one`	DRL 1.0
sigma	win_hack_smbexec.yml	`- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/`	DRL 1.0
sigma	win_impacket_psexec.yml	`title: Impacket PsExec Execution`	DRL 1.0
sigma	win_impacket_psexec.yml	`description: Detects execution of Impacket's psexec.py.`	DRL 1.0
sigma	win_impacket_psexec.yml	`- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html`	DRL 1.0
sigma	win_susp_psexec.yml	`title: Suspicious PsExec Execution`	DRL 1.0
sigma	win_susp_psexec.yml	`description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one`	DRL 1.0
sigma	win_susp_psexec.yml	`- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html`	DRL 1.0
sigma	sysmon_powershell_exploit_scripts.yml	`- '*\Invoke-PsExec.ps1'`	DRL 1.0
sigma	win_defender_psexec_wmi_asr.yml	`title: PSExec and WMI Process Creations Block`	DRL 1.0
sigma	win_defender_psexec_wmi_asr.yml	`description: Detects blocking of process creations originating from PSExec and WMI commands`	DRL 1.0
sigma	win_defender_psexec_wmi_asr.yml	`- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands`	DRL 1.0
sigma	win_defender_psexec_wmi_asr.yml	`definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'`	DRL 1.0
sigma	win_tool_psexec.yml	`title: PsExec Tool Execution`	DRL 1.0
sigma	win_tool_psexec.yml	`description: Detects PsExec service installation and execution events (service and Sysmon)`	DRL 1.0
sigma	powershell_malicious_commandlets.yml	`- "Invoke-PsExec"`	DRL 1.0
sigma	win_multiple_suspicious_cli.yml	`- psexec.exe`	DRL 1.0
sigma	win_psexesvc_start.yml	`title: PsExec Service Start`	DRL 1.0
sigma	win_psexesvc_start.yml	`description: Detects a PsExec service start`	DRL 1.0
sigma	win_renamed_binary.yml	`- 'psexec.exe'`	DRL 1.0
sigma	win_renamed_binary.yml	`- 'psexec.c' # old versions of psexec (2016 seen)`	DRL 1.0
sigma	win_renamed_binary.yml	`- '\psexec.exe'`	DRL 1.0
sigma	win_renamed_binary_highly_relevant.yml	`- "psexec.exe"`	DRL 1.0
sigma	win_renamed_binary_highly_relevant.yml	`- "psexec.c" # old versions of psexec (2016 seen)`	DRL 1.0
sigma	win_renamed_binary_highly_relevant.yml	`- '*\psexec.exe'`	DRL 1.0
sigma	win_renamed_psexec.yml	`title: Renamed PsExec`	DRL 1.0
sigma	win_renamed_psexec.yml	`description: Detects the execution of a renamed PsExec often used by attackers or malware`	DRL 1.0
sigma	win_renamed_psexec.yml	`Product: 'Sysinternals PsExec'`	DRL 1.0
sigma	win_renamed_psexec.yml	`- '*\PsExec.exe'`	DRL 1.0
sigma	win_renamed_psexec.yml	`- Software that illegaly integrates PsExec in a renamed form`	DRL 1.0
sigma	win_renamed_psexec.yml	`- Administrators that have renamed PsExec and no one knows why`	DRL 1.0
sigma	win_rundll32_without_parameters.yml	`description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module`	DRL 1.0
sigma	win_rundll32_without_parameters.yml	`- https://bczyz1.github.io/2021/01/30/psexec.html`	DRL 1.0
sigma	win_susp_psexec_eula.yml	`title: Psexec Accepteula Condition`	DRL 1.0
sigma	win_susp_psexec_eula.yml	`description: Detect ed user accept agreement execution in psexec commandline`	DRL 1.0
sigma	win_susp_psexec_eula.yml	`Image\\|endswith: '\psexec.exe'`	DRL 1.0
malware-ioc	misp_invisimole.json	`"http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass",`	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.\n\nDetection: Changes to service Registry entries and command-line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool PsExec.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process command-line parameters, Process monitoring\n\nPermissions Required: Administrator, SYSTEM\n\nRemote Support: Yes",	© ESET 2014-2018
atomic-red-team	index.md	- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #3: Copy and Execute File with PsExec [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: Copy and Execute File with PsExec [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1003.004.md	\| psexec_exe \| Path to PsExec executable \| Path \| PathToAtomicsFolder\T1003.004\bin\PsExec.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1003.004.md	##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})	MIT License. © 2018 Red Canary
atomic-red-team	T1003.004.md	Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	- Atomic Test #3 - Copy and Execute File with PsExec	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	## Atomic Test #3 - Copy and Execute File with PsExec	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	psexec.exe #{remote_host} -accepteula -c #{command_path}	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	\| machine \| machine to target (via psexec) \| string \| DC1\|	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	\| psexec_path \| Path to PsExec \| string \| C:\PSTools\PsExec.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_path}” -Force	MIT License. © 2018 Red Canary
atomic-red-team	T1207.md	Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely.	MIT License. © 2018 Red Canary
atomic-red-team	T1207.md	\| psexec_path \| Path to PsExec \| string \| C:\PSTools\PsExec.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1207.md	##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})	MIT License. © 2018 Red Canary
atomic-red-team	T1207.md	Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_path}” -Force	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	- Atomic Test #2 - Use PsExec to execute a command on a remote host	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	## Atomic Test #2 - Use PsExec to execute a command on a remote host	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost).	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	\| psexec_exe \| Path to PsExec \| string \| C:\PSTools\PsExec.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_exe}” -Force	MIT License. © 2018 Red Canary
signature-base	gen_empire.yar	description = “Detects Empire component - file Invoke-PsExec.ps1”	CC BY-NC 4.0
signature-base	gen_mimikatz.yar	$x14 = “Clear screen (doesn’t work with redirections, like PsExec)” fullword wide	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	description = “Looks like a cloaked PsExec. May be APT group activity.”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	$s1 = “Sysinternals PsExec” wide fullword	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	and not filename matches /(psexec.exe\|PSEXESVC.EXE\|PsExec64.exe)$/is	CC BY-NC 4.0
stockpile	620b674a-7655-436c-b645-bc3e8ea51abd.yml	`description: Copy Sandcat file using PsExec on CMD`	Apache-2.0
stockpile	620b674a-7655-436c-b645-bc3e8ea51abd.yml	`name: Copy Sandcat File using PsExec on CMD`	Apache-2.0
stockpile	620b674a-7655-436c-b645-bc3e8ea51abd.yml	`\\#{remote.host.name}\Users\Public & #{psexec.path} -accepteula \\#{remote.host.name}`	Apache-2.0