⚠️ Overview

PsExec is a legitimate Microsoft Sysinternals command-line utility, first released in 2004 by Mark Russinovich, that enables remote process execution using SMB and Windows service control. While not inherently malware, it is widely abused by threat actors as a living-off-the-land binary (LOLBIN) for lateral movement. It falls under the category of remote access tools and was weaponized in campaigns by groups such as FIN6, Ryuk, and Conti, with MITRE ATT&CK mapping to technique T1021.002 (Remote Services) and T1569.002 (Service Execution).

🔧 Technical Capabilities

PsExec works by copying a small binary (PSEXESVC.exe) to the target system's ADMIN$ share, then creating and starting a Windows service on the remote host via the Service Control Manager (SCM). It uses named pipe PSEXESVC for communication, leveraging existing authenticated SMB sessions. Attack chains commonly involve initial access via phishing or vulnerability exploitation, then PsExec to propagate across networks, often alongside stolen NTLM hashes (Pass-the-Hash). It enables arbitrary command execution, file transfer, and interactive shell access without requiring additional agent installation. Persistence is not inherent, but attackers use scheduled tasks or service creation after PsExec. Evasion techniques include renaming the binary, using alternate ports, or tunneling over SMB to blend with legitimate traffic.

📜 History & Notable Incidents

PsExec was first documented in the 2006 Sysinternals suite. High-profile incidents include the 2019 Ryuk ransomware campaign, where attackers used PsExec for widespread lateral movement across victim networks, leading to $61 million in ransom demands (according to U.S. CISA). The 2021 Conti ransomware leaks revealed playbooks instructing affiliates to deploy PsExec via SMB. In 2020, the TrickBot botnet integrated PsExec for post-exploitation. No CVEs target PsExec itself, but its abuse is referenced in CVE-2021-31207 (Microsoft Exchange Server related to credential harvesting enabling PsExec use).

🔍 Detection Indicators

Behavioral signatures include SMB write operations to ADMIN$ and named pipe connection to PESVC (case-insensitive). Network IOCs include SMB traffic on TCP 445 with filename "PSEXESVC.exe" or "PAExec.exe" (third-party variant). Registry keys like HKLMSYSTEMCurrentControlSetServicesPSEXESVC appear during execution. File hashes for legitimate PSEXESVC.exe are signed by Microsoft, but attackers often modify the binary; known malicious hashes include 0xa3b2c1... (example). Sysmon Event IDs 1 (process creation) and 3 (network connection) detect PsExec execution. Custom User-Agent strings are not typically used; instead, the service name "PSEXESVC" in event logs is a key indicator.

☠️ Risk & Impact

PsExec abuse enables rapid lateral movement, allowing attackers to deploy ransomware, exfiltrate data, or install backdoors across entire networks. The 2019 Ryuk campaign impacted over 100 organizations, primarily healthcare and education, with average recovery costs exceeding $500,000 per incident. The Conti ransomware, using PsExec, caused global supply chain disruptions with estimated losses over $180 million. Affected sectors include finance, government, and critical infrastructure, as reported by CISA advisories.

🛡️ Mitigation

Mitigations include disabling SMBv1, enforcing least-privilege access to ADMIN$ shares, enabling Windows Defender Attack Surface Reduction rules (e.g., block PsExec execution), and deploying Sysmon with rules to alert on PSEXESVC named pipe creation. Microsoft provides detection rules in Microsoft 365 Defender (Identity ID 10025). Regular patching of credential-stealing vulnerabilities (e.g., CVE-2021-26855) reduces PsExec abuse vectors. Use of application control like WDAC or AppLocker can block unauthorized binaries.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.