// OVERVIEW
PsTools is a suite of remote administration utilities — legitimate system management tools that have become a staple of attacker post-exploitation playbooks. Because they are signed Microsoft binaries and perform functions indistinguishable from normal administration, they are prime living-off-the-land (LotL) tools.
Understanding PsTools from both sides — what an attacker does with each tool, and what log artefacts each leaves — is essential for both red team tradecraft and blue team detection engineering.
Understanding PsTools from both sides — what an attacker does with each tool, and what log artefacts each leaves — is essential for both red team tradecraft and blue team detection engineering.
// TOOL INVENTORY
| Binary | Function | Attacker Use Case |
|---|---|---|
| PsExec | Execute processes on remote systems | Lateral movement, remote shell, ransomware deployment |
| PsInfo | Gather system info from remote host | Reconnaissance — OS version, uptime, patch level, installed apps |
| PsList | List processes on remote system | Identify security tools, EDR agents, AV processes to kill |
| PsKill | Kill a process by name or PID (local/remote) | Terminate AV, EDR, backup agents before ransomware detonation |
| PsLoggedon | Show logged-on users (local and via resource shares) | Identify active admin sessions for credential theft timing |
| PsLogList | Dump event logs from remote system | Grab logs before clearing them; offline analysis |
| PsPasswd | Change account passwords (local/remote) | Reset admin password to lock defenders out |
| PsPing | Ping with TCP/UDP options, latency stats | Network discovery, firewall rule probing, port scanning |
| PsService | View and control services (local/remote) | Start/stop services, install malicious service |
| PsShutdown | Shutdown/restart remote system | Wiper/ransomware trigger, cover tracks by forcing reboot |
| PsSuspend | Suspend/resume processes | Freeze AV/EDR process without triggering tamper alerts |
| PsGetSid | Get SID for user, group, or remote computer | Domain reconnaissance — enumerate SIDs for pass-the-hash |
| PsFile | Show files opened remotely on a system | Identify which remote users have files open (share enumeration) |
// PSEXEC — DEEP DIVEMOST ABUSED
PsExec is the most heavily abused tool in the suite. It works by copying a service binary (PSEXESVC.exe) to the target's ADMIN$ share, registering it as a service, and using that service to execute commands.
Basic syntax:
Basic syntax:
PsExec64.exe \\TARGET -u DOMAIN\admin -p password cmd.exe
PsExec64.exe \\TARGET -s cmd.exe ; Run as SYSTEM
PsExec64.exe \\TARGET -d payload.exe ; Non-interactive (detach)
PsExec64.exe \\TARGET -c payload.exe ; Copy file to remote then run
PsExec64.exe \\TARGET -c -f -s -d beacon.exe ; Full LotL payload drop
PsExec64.exe \\TARGET powershell -enc [Base64EncodedCommand]
; Ransomware operators frequently use:
PsExec64.exe \\* -u domain\admin -p pass -d ransomware.exe
; The \\* syntax executes on all machines in the domain — wormlike spread
What PsExec does on the target (artefacts it leaves):
1. Copies PSEXESVC.exe to \\TARGET\ADMIN$\PSEXESVC.exe
2. Creates service: PSEXESVC
3. Starts service — service runs the specified command
4. After execution: stops service, deletes PSEXESVC.exe
Artefacts remaining:
- Windows Event Log (System): Event 7045 — Service installed "PSEXESVC"
- Windows Event Log (System): Event 7036 — Service state changes
- Security log: Event 4624 — Logon Type 3 (network) from source IP
- Security log: Event 4648 — Explicit credential logon
- Security log: Event 5140 — Network share ADMIN$ accessed
- Prefetch: PSEXESVC.EXE-[hash].pf (even after deletion)
- File: $MFT entry for PSEXESVC.exe (recoverable even post-deletion)
// DETECTION RULES — EVENT IDSSIEM
| Event ID | Log | Trigger | Tool |
|---|---|---|---|
| 4624 Type 3 | Security | Network logon — lateral movement via credentials | PsExec, PsInfo, PsList, most tools |
| 4648 | Security | Explicit credential logon (RunAs style) | PsExec with -u flag |
| 5140 | Security | Network share accessed (ADMIN$, IPC$) | PsExec (ADMIN$ for PSEXESVC) |
| 7045 | System | New service installed | PsExec (PSEXESVC service) |
| 7036 | System | Service state change | PsExec, PsService |
| 4656 / 4663 | Security | Object access (file/registry handle) | PsKill (handle to process), PsPasswd |
| 4723 / 4724 | Security | Password change attempt | PsPasswd |
| 1102 | Security | Audit log cleared | PsLogList often precedes log clearing |
| 4688 | Security | New process created — check parent/child | All PsTools (look for psexec parent) |
Sigma rule concepts for PsExec detection:
// Service name detection:
EventID: 7045
ServiceName: PSEXESVC
// Child process of psexec pattern:
EventID: 4688
NewProcessName contains: cmd.exe OR powershell.exe
ParentProcessName contains: PSEXESVC.exe
// Network + ADMIN$ share access correlation:
EventID: 5140 AND
ShareName: ADMIN$ AND
ObjectName: PSEXESVC.exe
// Wildcard execution across domain — look for same command
// executed across multiple hosts within short time window (burst)
// PSKILL — AV/EDR TERMINATIONPRE-RANSOMWARE
pskill64.exe \\TARGET MsMpEng.exe ; Kill Windows Defender
pskill64.exe \\TARGET CylanceSvc.exe ; Kill Cylance
pskill64.exe \\TARGET xagt.exe ; Kill FireEye HX
pskill64.exe \\TARGET CSFalconService ; Kill CrowdStrike Falcon
; Note: Most modern EDR products implement tamper protection — PsKill will fail.
; Attackers may instead use PsSuspend to freeze the process without triggering
; tamper alerts, or use a kernel-level driver to bypass protection.
; Detection: 4689 (process terminated) on protected process from unexpected parent
// RED TEAMTRADECRAFT
Rename binaries — rename PsExec64.exe to svchost.exe or msiexec.exe before deployment. Process name in logs changes but behaviour is identical.
Use -r to rename service —
psexec -r mysvcname renames PSEXESVC to a custom name, evading service name IOCs.Avoid ADMIN$ — use
-c with a custom share to avoid the ADMIN$/PSEXESVC pattern. Or use impacket's psexec.py equivalent.PsPing for network recon — legitimate tool, less suspicious than nmap. TCP connect scan:
psping -n 1 TARGET:445// BLUE TEAMDETECTION
Block PSEXESVC hash — application control policy to block execution of the known PSEXESVC.exe hash. Attackers must use custom builds to bypass.
Alert on ADMIN$ writes — any write to ADMIN$ share from a non-admin management system should alert. PsExec cannot function without it.
Correlate logon burst — single source IP with Event 4624 Type 3 to many hosts in short window = lateral movement. Baseline normal admin patterns.
EDR tamper protection — enable on all endpoints. PsKill should fail against protected processes; the attempt itself generates a detectable event.