PsExec.exe

File Path: C:\SysinternalsSuite\PsExec.exe
Description: Execute processes remotely

Hashes

Type	Hash
MD5	`27304B246C7D5B4E149124D5F93C5B01`
SHA1	`E50D9E3BD91908E13A26B3E23EDEAF577FB3A095`
SHA256	`3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF`
SHA384	`ED52290FC2695D9781FC2F56D0EEA2F11995468F67C1CD07ED275AB56F074F69A3D647FF74FBA887CFBB2033E179839E`
SHA512	`BEC172A2F92A95796199CFC83F544A78685B52A94061CE0FFB46B265070EE0BCC018C4F548F56018BF3FF1E74952811B2AFB6DF79AB8D09F1EC73C9477AF636B`
SSDEEP	`3072:Yao79VuJ6titIi/H7ZUFgllxiBD+P5xWr3geNtdS+DlGttzhA9HY4ZUFxPkwlmlP:YaSq4TBWISSTgu7DlGtEC1xn/O5r4S`
IMP	`C1E59519B5E5D84AF07AFA6F5A8625F1`
PESHA1	`B477BCA07BC32E8863119973BC91F6A55F10405F`
PE256	`0C4FC597FA407059C94B3534F49BC090A11CCB4E4E6D969AF267E14D69359F71`

Runtime Data

Usage (stdout):

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

PsExec executes a program on a remote system, where remotely executed console
applications execute interactively.

Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-r servicename][-h][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]
     -a         Separate processors on which the application can run with
                commas where 1 is the lowest numbered CPU. For example,
                to run the application on CPU 2 and CPU 4, enter:
                "-a 2,4"
     -c         Copy the specified program to the remote system for
                execution. If you omit this option the application
                must be in the system path on the remote system.
     -d         Don't wait for process to terminate (non-interactive).
     -e         Does not load the specified account's profile.
     -f         Copy the specified program even if the file already
                exists on the remote system.
     -i         Run the program so that it interacts with the desktop of the
                specified session on the remote system. If no session is
                specified the process runs in the console session.
     -h         If the target system is Vista or higher, has the process
                run with the account's elevated token, if available.
     -l         Run process as limited user (strips the Administrators group
                and allows only privileges assigned to the Users group).
                On Windows Vista the process runs with Low Integrity.
     -n         Specifies timeout in seconds connecting to remote computers.
     -p         Specifies optional password for user name. If you omit this
                you will be prompted to enter a hidden password.
     -r         Specifies the name of the remote service to create or interact.
                with.
     -s         Run the remote process in the System account.
     -u         Specifies optional user name for login to remote
                computer.
     -v         Copy the specified file only if it has a higher version number
                or is newer on than the one on the remote system.
     -w         Set the working directory of the process (relative to
                remote computer).
     -x         Display the UI on the Winlogon secure desktop (local system
                only).
     -arm       Specifies the remote computer is of ARM architecture.
     -priority	Specifies -low, -belownormal, -abovenormal, -high or
                -realtime to run the process at a different priority. Use
                -background to run at low memory and I/O priority on Vista.
     computer   Direct PsExec to run the application on the remote
                computer or computers specified. If you omit the computer
                name PsExec runs the application on the local system, 
                and if you specify a wildcard (\\*), PsExec runs the
                command on all computers in the current domain.
     @file      PsExec will execute the command on each of the computers listed
                in the file.
     cmd	    Name of application to execute.
     arguments  Arguments to pass (note that file paths must be
                absolute paths on the target system).
     -accepteula This flag suppresses the display of the license dialog.
     -nobanner   Do not display the startup banner and copyright message.

You can enclose applications that have spaces in their name with
quotation marks e.g. psexec \\marklap "c:\long name app.exe".
Input is only passed to the remote system when you press the enter
key, and typing Ctrl-C terminates the remote process.

If you omit a user name the process will run in the context of your
account on the remote system, but will not have access to network
resources (because it is impersonating). Specify a valid user name
in the Domain\User syntax if the remote process requires access
to network resources or to run in a different account. Note that
the password and command is encrypted in transit to the remote system.

Error codes returned by PsExec are specific to the applications you
execute, not PsExec.

Usage (stderr):

Access is denied.

PsExec could not start C:\temp\strontic-xcyclopedia\notepad.exe:

Loaded Modules:

Path
C:\SysinternalsSuite\PsExec.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

Status: Signature verified.
Serial: 330000010A2C79AED7797BA6AC00010000010A
Thumbprint: 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: psexec.c
Product Name: Sysinternals PsExec
Company Name: Sysinternals - www.sysinternals.com
File Version: 2.2
Product Version: 2.2
Language: English (United States)
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/71
VirusTotal Link: https://www.virustotal.com/gui/file/3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef/detection/

Possible Misuse

The following table contains possible examples of PsExec.exe being misused. While PsExec.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	zeek_smb_converted_win_susp_psexec.yml	`title: Suspicious PsExec Execution - Zeek`	DRL 1.0
sigma	zeek_smb_converted_win_susp_psexec.yml	`description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one`	DRL 1.0
sigma	win_impacket_psexec.yml	`title: Impacket PsExec Execution`	DRL 1.0
sigma	win_impacket_psexec.yml	`description: Detects execution of Impacket's psexec.py.`	DRL 1.0
sigma	win_impacket_psexec.yml	`- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html`	DRL 1.0
sigma	win_security_metasploit_or_impacket_smb_psexec_service_install.yml	`title: Metasploit Or Impacket Service Installation Via SMB PsExec`	DRL 1.0
sigma	win_security_metasploit_or_impacket_smb_psexec_service_install.yml	`description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation`	DRL 1.0
sigma	win_security_metasploit_or_impacket_smb_psexec_service_install.yml	`- https://bczyz1.github.io/2021/01/30/psexec.html`	DRL 1.0
sigma	win_susp_psexec.yml	`title: Suspicious PsExec Execution`	DRL 1.0
sigma	win_susp_psexec.yml	`description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one`	DRL 1.0
sigma	win_susp_psexec.yml	`- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html`	DRL 1.0
sigma	win_hack_smbexec.yml	`- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/`	DRL 1.0
sigma	win_tool_psexec.yml	`title: PsExec Tool Execution`	DRL 1.0
sigma	win_tool_psexec.yml	`description: Detects PsExec service installation and execution events (service and Sysmon)`	DRL 1.0
sigma	win_defender_psexec_wmi_asr.yml	`title: PSExec and WMI Process Creations Block`	DRL 1.0
sigma	win_defender_psexec_wmi_asr.yml	`description: Detects blocking of process creations originating from PSExec and WMI commands`	DRL 1.0
sigma	win_defender_psexec_wmi_asr.yml	`- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands`	DRL 1.0
sigma	win_defender_psexec_wmi_asr.yml	`definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'`	DRL 1.0
sigma	file_event_win_powershell_exploit_scripts.yml	`- '\Invoke-PsExec.ps1'`	DRL 1.0
sigma	file_event_win_tool_psexec.yml	`title: PsExec Tool Execution`	DRL 1.0
sigma	file_event_win_tool_psexec.yml	`description: Detects PsExec service installation and execution events (service and Sysmon)`	DRL 1.0
sigma	pipe_created_psexec_pipes_artifacts.yml	`title: PsExec Pipes Artifacts`	DRL 1.0
sigma	pipe_created_psexec_pipes_artifacts.yml	`description: Detecting use PsExec via Pipe Creation/Access to pipes`	DRL 1.0
sigma	pipe_created_psexec_pipes_artifacts.yml	`- 'psexec'`	DRL 1.0
sigma	pipe_created_tool_psexec.yml	`title: PsExec Tool Execution`	DRL 1.0
sigma	pipe_created_tool_psexec.yml	`description: Detects PsExec service installation and execution events (service and Sysmon)`	DRL 1.0
sigma	posh_ps_malicious_commandlets.yml	`- 'Invoke-PsExec'`	DRL 1.0
sigma	proc_creation_win_false_sysinternalsuite.yml	`- '\psExec.exe'`	DRL 1.0
sigma	proc_creation_win_multiple_suspicious_cli.yml	`- psexec.exe`	DRL 1.0
sigma	proc_creation_win_psexesvc_start.yml	`title: PsExec Service Start`	DRL 1.0
sigma	proc_creation_win_psexesvc_start.yml	`description: Detects a PsExec service start`	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	`- 'psexec.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	`- 'psexec.c' # old versions of psexec (2016 seen)`	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	`- '\psexec.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_binary_highly_relevant.yml	`- 'psexec.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_binary_highly_relevant.yml	`- 'psexec.c' # old versions of psexec (2016 seen)`	DRL 1.0
sigma	proc_creation_win_renamed_binary_highly_relevant.yml	`- '\psexec.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_psexec.yml	`title: Renamed PsExec`	DRL 1.0
sigma	proc_creation_win_renamed_psexec.yml	`description: Detects the execution of a renamed PsExec often used by attackers or malware`	DRL 1.0
sigma	proc_creation_win_renamed_psexec.yml	`Product: 'Sysinternals PsExec'`	DRL 1.0
sigma	proc_creation_win_renamed_psexec.yml	`- '\PsExec.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_psexec.yml	`- Software that illegaly integrates PsExec in a renamed form`	DRL 1.0
sigma	proc_creation_win_renamed_psexec.yml	`- Administrators that have renamed PsExec and no one knows why`	DRL 1.0
sigma	proc_creation_win_rundll32_without_parameters.yml	`description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module`	DRL 1.0
sigma	proc_creation_win_rundll32_without_parameters.yml	`- https://bczyz1.github.io/2021/01/30/psexec.html`	DRL 1.0
sigma	proc_creation_win_susp_psexec_eula.yml	`title: Psexec Accepteula Condition`	DRL 1.0
sigma	proc_creation_win_susp_psexec_eula.yml	`description: Detect ed user accept agreement execution in psexec commandline`	DRL 1.0
sigma	proc_creation_win_susp_psexec_eula.yml	`Image\\|endswith: '\psexec.exe'`	DRL 1.0
sigma	proc_creation_win_susp_psexex_paexec_escalate_system.yml	`title: PsExec/PAExec Escalation to LOCAL SYSTEM`	DRL 1.0
sigma	proc_creation_win_susp_psexex_paexec_escalate_system.yml	`description: Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights`	DRL 1.0
sigma	proc_creation_win_susp_psexex_paexec_escalate_system.yml	`- https://docs.microsoft.com/en-us/sysinternals/downloads/psexec`	DRL 1.0
sigma	proc_creation_win_susp_psexex_paexec_escalate_system.yml	`- 'PsExec'`	DRL 1.0
sigma	proc_creation_win_susp_psexex_paexec_escalate_system.yml	`- Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)`	DRL 1.0
sigma	proc_creation_win_susp_psexex_paexec_flags.yml	`title: PsExec/PAExec Flags`	DRL 1.0
sigma	proc_creation_win_susp_psexex_paexec_flags.yml	`description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line`	DRL 1.0
sigma	proc_creation_win_susp_psexex_paexec_flags.yml	`- https://docs.microsoft.com/en-us/sysinternals/downloads/psexec`	DRL 1.0
sigma	proc_creation_win_susp_psexex_paexec_flags.yml	`- 'PsExec'`	DRL 1.0
sigma	proc_creation_win_susp_psexex_paexec_flags.yml	`- Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing`	DRL 1.0
sigma	proc_creation_win_tool_psexec.yml	`title: PsExec Tool Execution`	DRL 1.0
sigma	proc_creation_win_tool_psexec.yml	`description: Detects PsExec service installation and execution events (service and Sysmon)`	DRL 1.0
sigma	win_metasploit_or_impacket_smb_psexec_service_install.yml	`title: Metasploit Or Impacket Service Installation Via SMB PsExec`	DRL 1.0
sigma	win_metasploit_or_impacket_smb_psexec_service_install.yml	`description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation`	DRL 1.0
sigma	win_metasploit_or_impacket_smb_psexec_service_install.yml	`- https://bczyz1.github.io/2021/01/30/psexec.html`	DRL 1.0
malware-ioc	misp-badiis.json	"description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.",	© ESET 2014-2018
malware-ioc	misp_invisimole.json	`"http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass",`	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.\n\nDetection: Changes to service Registry entries and command-line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool PsExec.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process command-line parameters, Process monitoring\n\nPermissions Required: Administrator, SYSTEM\n\nRemote Support: Yes",	© ESET 2014-2018
atomic-red-team	index.md	- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #3: Copy and Execute File with PsExec [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: Copy and Execute File with PsExec [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1003.004.md	\| psexec_exe \| Path to PsExec executable \| Path \| PathToAtomicsFolder\T1003.004\bin\PsExec.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1003.004.md	##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})	MIT License. © 2018 Red Canary
atomic-red-team	T1003.004.md	Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	- Atomic Test #3 - Copy and Execute File with PsExec	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	## Atomic Test #3 - Copy and Execute File with PsExec	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	\| psexec_exe \| Path to PsExec \| string \| C:\PSTools\PsExec.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})	MIT License. © 2018 Red Canary
atomic-red-team	T1021.002.md	Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_exe}” -Force	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	\| machine \| machine to target (via psexec) \| String \| DC1\|	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	\| psexec_path \| Path to PsExec \| String \| C:\PSTools\PsExec.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})	MIT License. © 2018 Red Canary
atomic-red-team	T1055.md	Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_path}” -Force	MIT License. © 2018 Red Canary
atomic-red-team	T1207.md	Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely.	MIT License. © 2018 Red Canary
atomic-red-team	T1207.md	\| psexec_path \| Path to PsExec \| Path \| C:\PSTools\PsExec.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1207.md	##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})	MIT License. © 2018 Red Canary
atomic-red-team	T1207.md	Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_path}” -Force	MIT License. © 2018 Red Canary
atomic-red-team	T1550.003.md	PsExec is used to execute commands on the remote system, and the “C$” admin share is used to retrieve the TGT, so the current user must have admin rights remotely and other PsExec prerequisites must be met.	MIT License. © 2018 Red Canary
atomic-red-team	T1550.003.md	\| psexec_path \| Path of the PsExec binary \| String \| C:\PSTools\PsExec.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1550.003.md	##### Description: PsExec must exist on disk at specified location (#{psexec_path})	MIT License. © 2018 Red Canary
atomic-red-team	T1550.003.md	Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_path}” -Force	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	- Atomic Test #2 - Use PsExec to execute a command on a remote host	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	## Atomic Test #2 - Use PsExec to execute a command on a remote host	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost).	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	\| psexec_exe \| Path to PsExec \| String \| C:\PSTools\PsExec.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_exe}” -Force	MIT License. © 2018 Red Canary
atomic-red-team	T1588.002.md	<blockquote>Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)	MIT License. © 2018 Red Canary
signature-base	gen_empire.yar	description = “Detects Empire component - file Invoke-PsExec.ps1”	CC BY-NC 4.0
signature-base	gen_mimikatz.yar	$x14 = “Clear screen (doesn’t work with redirections, like PsExec)” fullword wide	CC BY-NC 4.0
signature-base	thor-hacktools.yar	description = “Detects remote access tool PAEXec (like PsExec) - file PAExec.exe”	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$x7 = “in replacement for PsExec, so the command-line usage is identical, with “ fullword ascii	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	description = “Looks like a cloaked PsExec. May be APT group activity.”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	$s1 = “Sysinternals PsExec” wide fullword	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	and not filename matches /(psexec.exe\|PSEXESVC.EXE\|PsExec64.exe)$/is	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	description = “Detects a renamed remote access tool PAEXec (like PsExec)”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	$x7 = “in replacement for PsExec, so the command-line usage is identical, with “ fullword ascii	CC BY-NC 4.0
stockpile	620b674a-7655-436c-b645-bc3e8ea51abd.yml	`description: Copy Sandcat file using PsExec on CMD`	Apache-2.0
stockpile	620b674a-7655-436c-b645-bc3e8ea51abd.yml	`name: Copy Sandcat File using PsExec on CMD`	Apache-2.0
stockpile	620b674a-7655-436c-b645-bc3e8ea51abd.yml	`\\#{remote.host.name}\Users\Public & #{psexec.path} -accepteula \\#{remote.host.name}`	Apache-2.0