https://feed.craftedsignal.io/tags/psexec/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 14:17:05 +0000https://feed.craftedsignal.io/briefs/2024-07-wsus-psexec/Mon, 04 May 2026 14:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-07-wsus-psexec/Adversaries may exploit Windows Server Update Services (WSUS) to execute PsExec for lateral movement within a network by abusing the trusted update mechanism to run signed binaries.This detection identifies potential abuse of Windows Server Update Services (WSUS) for lateral movement by executing PsExec. WSUS is designed to manage updates for Microsoft products, ensuring only signed binaries are executed. Attackers can exploit this by using WSUS to distribute and execute Microsoft-signed tools like PsExec, which can then be used to move laterally within the network. This technique leverages the trust relationship inherent in WSUS to bypass security controls. The rule focuses on detecting suspicious processes initiated by wuauclt.exe (the Windows Update client) executing PsExec from the SoftwareDistribution Download Install directories. Defenders should monitor WSUS activity and PsExec executions to detect and respond to this potential threat.

Attack Chain

1. The attacker compromises a system within the target network.
2. The attacker gains control over the WSUS server or performs a man-in-the-middle attack to spoof WSUS.
3. The attacker uses the compromised WSUS server to approve a malicious update containing PsExec.
4. The WSUS client (wuauclt.exe) on targeted machines downloads the “approved” update from the WSUS server, placing PsExec in the C:\Windows\SoftwareDistribution\Download\Install\ directory.
5. The WSUS client executes PsExec.
6. PsExec is used to execute commands or transfer files to other systems on the network.
7. The attacker uses the compromised systems to gather credentials or move laterally to other high-value targets.
8. The attacker achieves their objective, such as data exfiltration or ransomware deployment.

Impact

Successful exploitation allows attackers to achieve lateral movement within the network, leading to the compromise of additional systems and sensitive data. This can result in data breaches, financial loss, and reputational damage. The scope of impact depends on the level of access achieved by the attacker and the value of the compromised systems.

Recommendation

• Deploy the Sigma rule WSUS PsExec Execution to detect potential WSUS abuse involving PsExec execution.
• Enable Sysmon process creation logging (Event ID 1) to gain visibility into process executions, as referenced in the setup instructions.
• Implement enhanced monitoring and logging for WSUS activities to detect unauthorized changes or updates.
• Investigate and remove any unauthorized binaries found in the C:\Windows\SoftwareDistribution\Download\Install\ directory.
• Review and restrict the accounts authorized to manage WSUS to prevent unauthorized modifications.

]]>mediumadvisorylateral-movementwsuspsexecwindowshttps://feed.craftedsignal.io/briefs/2024-01-psexec-lateral-movement/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-psexec-lateral-movement/The rule identifies the use of PsExec.exe making a network connection, indicative of potential lateral movement by adversaries executing commands with SYSTEM privileges on Windows systems to disable defenses.This detection identifies the execution of PsExec, a dual-use tool commonly employed for both legitimate administration and malicious lateral movement. PsExec, part of the Sysinternals Suite, allows for remote command execution with elevated privileges, often abused by attackers to disable security controls and move laterally within a network. This rule specifically detects the creation of PsExec.exe followed by a network connection initiated by the process, which is a strong indicator of potential malicious activity. While PsExec has legitimate uses, its prevalence in attack scenarios necessitates careful monitoring. The rule is designed to work with data from Elastic Defend, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

1. An attacker gains initial access to a system within the network (e.g., via phishing or exploiting a vulnerability).
2. The attacker uploads or transfers the PsExec tool (PsExec.exe) to the compromised host, potentially using SMB shares or other file transfer methods.
3. The attacker executes PsExec with the -accepteula flag, which suppresses the license dialog, potentially indicating a first-time execution on the machine.
4. PsExec establishes a network connection to a remote target system, leveraging SMB/Windows Admin Shares (T1021.002) to facilitate remote command execution.
5. The attacker uses PsExec to execute commands on the remote system, potentially with SYSTEM privileges, to install malware, gather credentials, or perform reconnaissance.
6. The attacker leverages the newly compromised system as a pivot point to move laterally to other systems within the network, repeating the process.
7. The attacker escalates privileges on multiple systems.
8. The attacker achieves their objective, such as data exfiltration or ransomware deployment.

Impact

Successful exploitation can lead to widespread compromise across the network. Attackers can leverage PsExec to gain control over critical systems, disable security controls, and exfiltrate sensitive data. Lateral movement facilitated by PsExec can enable attackers to rapidly expand their footprint within an organization, impacting numerous systems and services. While the rule’s severity is low due to the dual-use nature of PsExec, the potential impact of unchecked lateral movement is significant.

Recommendation

• Deploy the Sigma rule PsExec Network Connection to your SIEM and tune the process.executable and process.parent.executable filters for your environment to reduce false positives.
• Enable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging for enhanced visibility into PsExec activity.
• Review and enforce the principle of least privilege to limit the accounts that can run PsExec and access sensitive systems.
• Investigate any alerts generated by the PsExec Network Connection rule promptly to determine if the activity is legitimate or malicious.
• Monitor network connections originating from systems where PsExec is executed using the PsExec Outbound Network Connection Sigma rule.

]]>lowadvisorypsexeclateral-movementwindowshttps://feed.craftedsignal.io/briefs/2024-01-renamed-psexec/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-renamed-psexec/Detects suspicious PsExec activity where the PsExec service component is executed using a custom name, indicating an attempt to evade detections that look for the default PsExec service component name.PsExec is a legitimate remote administration tool developed by Microsoft as part of the Sysinternals Suite, enabling the execution of commands with both regular and SYSTEM privileges on Windows systems. It functions by executing a service component, Psexecsvc.exe, on a remote system, which then runs a specified process and returns the results to the local system. While commonly used by administrators, adversaries frequently abuse PsExec for lateral movement and to execute commands as SYSTEM, effectively disabling defenses and bypassing security protections. This detection identifies instances where the PsExec service component is executed using a custom name, a tactic employed to evade security controls or detections targeting the default PsExec service component name. The rule was last updated on 2026-05-04 and covers Elastic Defend, Windows, M365 Defender, and Crowdstrike data sources.

Attack Chain

1. An attacker gains initial access to a system within the network (e.g., via phishing or exploiting a public-facing application).
2. The attacker uploads a renamed version of psexesvc.exe to a compromised host.
3. The attacker uses a tool like the standard PsExec.exe to initiate a remote connection to a target system.
4. PsExec attempts to copy the renamed psexesvc.exe to the ADMIN$ share on the target system.
5. The renamed psexesvc.exe is executed as a service on the remote host.
6. The renamed service executes commands specified by the attacker with SYSTEM privileges.
7. The results of the commands are returned to the originating system.
8. The attacker leverages the command execution for lateral movement, data exfiltration, or further compromise of the environment.

Impact

A successful attack can lead to complete compromise of the target system and potentially the entire network. By executing commands with SYSTEM privileges, attackers can disable security controls, install malware, steal sensitive data, or move laterally to other critical systems. The use of a renamed PsExec executable demonstrates an attempt to evade detection, increasing the likelihood of a successful breach.

Recommendation

• Deploy the Sigma rule “Suspicious Process Execution via Renamed PsExec Executable” to your SIEM and tune for your environment to detect the execution of renamed psexesvc.exe executables.
• Enable Sysmon process creation logging (Event ID 1) to capture the necessary process execution details for the Sigma rule.
• Investigate any alerts generated by this rule promptly, focusing on the commands executed and the target systems involved.
• Review and enforce the principle of least privilege to minimize the potential impact of compromised accounts.
• Monitor network traffic for SMB connections originating from unusual or untrusted systems, which could indicate PsExec usage.

]]>mediumadvisorypsexeclateral-movementexecutiondefense-evasionwindows