CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
Back
Public · Free to share
Macksofy Technologies
CERT-In Empanelled
Govt of India · MeitY
Cheat Sheet · 2026

PsExec Detection Cheat Sheet

Telemetry sources, sigma-style detection logic and false-positive patterns for PsExec lateral movement.

Document
MKS-CL-PSEXEC-2026
Version
v1.0
Issued
18 May 2026
Classification
Public · Free to share
www.macksofy.com
Website
services@macksofy.com
Enquiries
+91 99308 24239
Direct line

PsExec is a Sysinternals tool — and an attacker's lateral-movement workhorse. Most mid-market SOCs miss it because the detections that ship by default fire on something every IT admin uses anyway. This cheat sheet lists the telemetry sources, the sigma-style logic and the false-positive patterns that separate IT-admin PsExec from adversary PsExec.

Telemetry sources

  • Windows Security log: 4624 (logon), 4688 (process), 4697 (service install), 5145 (network share access)
  • Sysmon: 1 (process), 3 (network connection), 11 (file create), 13 (registry value set)
  • EDR process telemetry — most critical, ties parent → child reliably
  • Network telemetry — SMB to ADMIN$ from a non-admin source

Sigma-style high-fidelity detections

BehaviorSignalConfidence
PSEXESVC service install on remote hostEvent 4697 with ServiceName=PSEXESVC OR ServiceFileName ending psexesvc.exeHigh
psexesvc.exe process spawnedSysmon EID 1, Image ends \psexesvc.exe, ParentImage=services.exeHigh
ADMIN$ share access from non-admin sourceEvent 5145, ShareName=\\*\ADMIN$, AccessRequest=WriteDataMedium
Cmd / PowerShell as child of psexesvcSysmon EID 1, ParentImage ends \psexesvc.exe, Image ends \cmd.exe OR \powershell.exeHigh — investigate immediately
Anonymous pipe usage from psexesvcSysmon EID 17/18 (pipe events), PipeName matches PSEXESVC patternMedium — useful for variant detection

False-positive sources

  • Legitimate IT-admin remediation runs — burn an exception list keyed by source host + admin user account.
  • RMM tools (ConnectWise, Kaseya, NinjaOne) using PsExec under the hood — exception by parent process and code-sign.
  • Patch-management vendors that wrap PsExec — usually pinned source IPs, easy to except.

PsExec variants and impostors

  • Renamed psexesvc.exe — file-hash detection beats name-only detection.
  • Custom forks (Ms-Wbt-Server, RemCom) use the same SCM + ADMIN$ technique — detect on the technique, not the binary.
  • PsExec-style behavior implemented inside Cobalt Strike beacons — pivot to EDR command-line + parent telemetry.
Detect the technique, not the binary.

Service install via SCM + a 4-letter random name + a binary in C:\Windows\ that wasn't there 60 seconds ago is the technique. Whether the file is psexesvc.exe or x9q4.exe, the SCM-install + temp-binary pattern is the high-confidence detection.

Engage Macksofy
Need this in production, not on paper?

Macksofy offers full-service engagements that map directly to this resource. Common starting points:

Or talk to a senior consultant — fixed-price proposal in 48 hours.
Macksofy Technologies
Macksofy Technologies Pvt Ltd
308, Building 11, SRA Commercial Tower, BKC, Mumbai 400051
Document v1.0
Issued 18 May 2026
Public · Free to share
© Macksofy Technologies — all rights reserved