{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/psexec/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Server Update Services"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","wsus","psexec","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of Windows Server Update Services (WSUS) for lateral movement by executing PsExec. WSUS is designed to manage updates for Microsoft products, ensuring only signed binaries are executed. Attackers can exploit this by using WSUS to distribute and execute Microsoft-signed tools like PsExec, which can then be used to move laterally within the network. This technique leverages the trust relationship inherent in WSUS to bypass security controls. The rule focuses on detecting suspicious processes initiated by \u003ccode\u003ewuauclt.exe\u003c/code\u003e (the Windows Update client) executing PsExec from the SoftwareDistribution Download Install directories. Defenders should monitor WSUS activity and PsExec executions to detect and respond to this potential threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a system within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the WSUS server or performs a man-in-the-middle attack to spoof WSUS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised WSUS server to approve a malicious update containing PsExec.\u003c/li\u003e\n\u003cli\u003eThe WSUS client (\u003ccode\u003ewuauclt.exe\u003c/code\u003e) on targeted machines downloads the \u0026ldquo;approved\u0026rdquo; update from the WSUS server, placing PsExec in the \u003ccode\u003eC:\\Windows\\SoftwareDistribution\\Download\\Install\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe WSUS client executes PsExec.\u003c/li\u003e\n\u003cli\u003ePsExec is used to execute commands or transfer files to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised systems to gather credentials or move laterally to other high-value targets.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve lateral movement within the network, leading to the compromise of additional systems and sensitive data. This can result in data breaches, financial loss, and reputational damage. The scope of impact depends on the level of access achieved by the attacker and the value of the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWSUS PsExec Execution\u003c/code\u003e to detect potential WSUS abuse involving PsExec execution.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to gain visibility into process executions, as referenced in the \u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for WSUS activities to detect unauthorized changes or updates.\u003c/li\u003e\n\u003cli\u003eInvestigate and remove any unauthorized binaries found in the \u003ccode\u003eC:\\Windows\\SoftwareDistribution\\Download\\Install\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eReview and restrict the accounts authorized to manage WSUS to prevent unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-wsus-psexec/","summary":"Adversaries may exploit Windows Server Update Services (WSUS) to execute PsExec for lateral movement within a network by abusing the trusted update mechanism to run signed binaries.","title":"Potential WSUS Abuse for Lateral Movement via PsExec","url":"https://feed.craftedsignal.io/briefs/2024-07-wsus-psexec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["psexec","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies the execution of PsExec, a dual-use tool commonly employed for both legitimate administration and malicious lateral movement. PsExec, part of the Sysinternals Suite, allows for remote command execution with elevated privileges, often abused by attackers to disable security controls and move laterally within a network. This rule specifically detects the creation of \u003ccode\u003ePsExec.exe\u003c/code\u003e followed by a network connection initiated by the process, which is a strong indicator of potential malicious activity. While PsExec has legitimate uses, its prevalence in attack scenarios necessitates careful monitoring. The rule is designed to work with data from Elastic Defend, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or transfers the PsExec tool (\u003ccode\u003ePsExec.exe\u003c/code\u003e) to the compromised host, potentially using SMB shares or other file transfer methods.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PsExec with the \u003ccode\u003e-accepteula\u003c/code\u003e flag, which suppresses the license dialog, potentially indicating a first-time execution on the machine.\u003c/li\u003e\n\u003cli\u003ePsExec establishes a network connection to a remote target system, leveraging SMB/Windows Admin Shares (T1021.002) to facilitate remote command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PsExec to execute commands on the remote system, potentially with SYSTEM privileges, to install malware, gather credentials, or perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly compromised system as a pivot point to move laterally to other systems within the network, repeating the process.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges on multiple systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to widespread compromise across the network. Attackers can leverage PsExec to gain control over critical systems, disable security controls, and exfiltrate sensitive data. Lateral movement facilitated by PsExec can enable attackers to rapidly expand their footprint within an organization, impacting numerous systems and services. While the rule\u0026rsquo;s severity is low due to the dual-use nature of PsExec, the potential impact of unchecked lateral movement is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePsExec Network Connection\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eprocess.executable\u003c/code\u003e and \u003ccode\u003eprocess.parent.executable\u003c/code\u003e filters for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging for enhanced visibility into PsExec activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to limit the accounts that can run PsExec and access sensitive systems.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003ePsExec Network Connection\u003c/code\u003e rule promptly to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from systems where PsExec is executed using the \u003ccode\u003ePsExec Outbound Network Connection\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-psexec-lateral-movement/","summary":"The rule identifies the use of PsExec.exe making a network connection, indicative of potential lateral movement by adversaries executing commands with SYSTEM privileges on Windows systems to disable defenses.","title":"PsExec Lateral Movement via Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-psexec-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["psexec","lateral-movement","execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003ePsExec is a legitimate remote administration tool developed by Microsoft as part of the Sysinternals Suite, enabling the execution of commands with both regular and SYSTEM privileges on Windows systems. It functions by executing a service component, \u003ccode\u003ePsexecsvc.exe\u003c/code\u003e, on a remote system, which then runs a specified process and returns the results to the local system. While commonly used by administrators, adversaries frequently abuse PsExec for lateral movement and to execute commands as SYSTEM, effectively disabling defenses and bypassing security protections. This detection identifies instances where the PsExec service component is executed using a custom name, a tactic employed to evade security controls or detections targeting the default PsExec service component name. The rule was last updated on 2026-05-04 and covers Elastic Defend, Windows, M365 Defender, and Crowdstrike data sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network (e.g., via phishing or exploiting a public-facing application).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a renamed version of \u003ccode\u003epsexesvc.exe\u003c/code\u003e to a compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like the standard \u003ccode\u003ePsExec.exe\u003c/code\u003e to initiate a remote connection to a target system.\u003c/li\u003e\n\u003cli\u003ePsExec attempts to copy the renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e to the ADMIN$ share on the target system.\u003c/li\u003e\n\u003cli\u003eThe renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e is executed as a service on the remote host.\u003c/li\u003e\n\u003cli\u003eThe renamed service executes commands specified by the attacker with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe results of the commands are returned to the originating system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the command execution for lateral movement, data exfiltration, or further compromise of the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete compromise of the target system and potentially the entire network. By executing commands with SYSTEM privileges, attackers can disable security controls, install malware, steal sensitive data, or move laterally to other critical systems. The use of a renamed PsExec executable demonstrates an attempt to evade detection, increasing the likelihood of a successful breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Process Execution via Renamed PsExec Executable\u0026rdquo; to your SIEM and tune for your environment to detect the execution of renamed \u003ccode\u003epsexesvc.exe\u003c/code\u003e executables.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the necessary process execution details for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule promptly, focusing on the commands executed and the target systems involved.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for SMB connections originating from unusual or untrusted systems, which could indicate PsExec usage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-renamed-psexec/","summary":"Detects suspicious PsExec activity where the PsExec service component is executed using a custom name, indicating an attempt to evade detections that look for the default PsExec service component name.","title":"Suspicious Process Execution via Renamed PsExec Executable","url":"https://feed.craftedsignal.io/briefs/2024-01-renamed-psexec/"}],"language":"en","title":"CraftedSignal Threat Feed — Psexec","version":"https://jsonfeed.org/version/1.1"}