Elastic Security Detection Rules

PsExec Network Connection

Last updated a month ago on 2025-03-20
Created 5 years ago on 2020-02-18

About

Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: ExecutionTactic: Lateral MovementData Source: Elastic DefendData Source: SysmonLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

System Services (T1569)(opens in a new tab or window)

Lateral Movement (TA0008)(opens in a new tab or window)

Remote Services (T1021)(opens in a new tab or window)

Lateral Tool Transfer (T1570)(opens in a new tab or window)

False Positive Examples
PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
winlogbeat-*logs-endpoint.events.process-*logs-endpoint.events.network-*logs-windows.sysmon_operational-*
Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

Query
sequence by process.entity_id
  [process where host.os.type == "windows" and process.name : "PsExec.exe" and event.type == "start" and

   /* This flag suppresses the display of the license dialog and may
      indicate that psexec executed for the first time in the machine */
   process.args : "-accepteula" and

   not process.executable : ("?:\\ProgramData\\Docusnap\\Discovery\\discovery\\plugins\\17\\Bin\\psexec.exe",
                             "?:\\Docusnap 11\\Bin\\psexec.exe",
                             "?:\\Program Files\\Docusnap X\\Bin\\psexec.exe",
                             "?:\\Program Files\\Docusnap X\\Tools\\dsDNS.exe") and
   not process.parent.executable : "?:\\Program Files (x86)\\Cynet\\Cynet Scanner\\CynetScanner.exe"]
  [network where host.os.type == "windows" and process.name : "PsExec.exe"]

Install detection rules in Elastic Security

Detect PsExec Network Connection in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).