PsExec

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Command Execution
Description
Executes a command on a remote host.
Example of Presumed Tool Use During an Attack
The tool is used to execute a remote command on hosts and servers in a domain.

- Tool Operation Overview

Item Source host Destination Host
OS Windows
Belonging to Domain Not required
Rights Standard user Administrator
Communication Protocol
  • 88/tcp (when executing in a domain environment)
  • 135/tcp
  • 445/tcp
  • Random High Port
Service -

- Information Acquired from Log

Standard Settings
  • Source host
    • A registry value created when the PsExec License Agreement has been agreed to (registry).
    • Execution history (Prefetch)
  • Destination Host
    • The fact that the PSEXESVC service has been installed, started, and ended is recorded (system log).
    • Execution history (Prefetch)
Additional Settings
  • Source host
    • The fact that the PsExec process was executed and that connection was made to the destination via the network, as well as the command name and argument for a remotely executed command are recorded (audit policy, Sysmon).
    • A registry value created when the PsExec License Agreement has been agreed to (Sysmon).
  • Destination Host
    • The fact that PSEXESVC.exe was created and accessed, and that connection was made from the source via the network, as well as the command name and argument for a remotely executed command are recorded (audit policy, Sysmon).
  • Packet Capture
    • Transmission of PSEXESVC and its output file (-stdin, -stdout, -stderr) with SMB2.

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command ([Path to Executable File] [Execution Command])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the executable file)
  • User: Execute as user
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT_AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (destination ports: 135 and 445, high port)
3 Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD: 0x00000001)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Sysinternals\PsExec\EulaAccepted)
4 Security 4689 Process Termination A process has exited.
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Path to the executable file (path to the tool)

Prefetch

Registry entry

# Path Value
1 HKEY_USERS\[User SID]\SOFTWARE\Sysinternals\PsExec\EulaAccepted 0x00000001

- Destination Host

Event log

# Log Event ID Task Category Event Details
1 Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Share Path: Share path (\\??\C:\Windows)
  • Shared Information > Relative Target Name: Relative target name from the share path (PSEXESVC.exe)
  • Access Request Information > Access: Requested privileges (including WriteData or AddFile, and AppendData)
2 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentImage: Executable file of the parent process (C:\Windows\system32\services.exe)
  • CommandLine: Command line of the execution command
  • ParentCommandLine: Command line of the parent process (C:\Windows\system32\services.exe)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • Image: Path to the executable file (C:\Windows\PSEXESVC.exe)
3 System 7045 A service was installed in the system. A service was installed.
  • Service start type: Operation of trigger that starts the service (demand start)
  • Service account: Executing account (LocalSystem)
  • Service type: Type of the service to be executed (user mode service)
  • Service Name: Name displayed in the service list (PSEXESVC)
  • Service File Name: Service executable file (%SystemRoot%\PSEXESVC.exe)
4 Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Shared Information > Share Name: Share name (\\*\IPC$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Shared Information > Relative Target Name: Relative target name from the share path (PSEXESVC-[Source Host Name]-[Source Process ID]-[stdin, stdout, stderr])
5 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\PSEXESVC.exe)
  • Image: Path to the executable file (Path to the executable file that was executed by PsExec)
  • ParentCommandLine: Command line of the parent process (C:\Windows\PSEXESVC.exe)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
6 System 7036 Service Control Manager The [Service Name] service entered the [Status] state.
  • Status: State after the transition (Stopped)
  • Service Name: Target service name (PSEXESVC)
7 Security 4689 Process Termination A process has exited.
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Exit Status: Process return value (0x0)
  • Process Information > Process Name: Path to the executable file (C:\Windows\PSEXESVC.exe)
8 Security 4674 Sensitive Privilege Use An operation was attempted on a privileged object.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Name of the object to be processed (PSEXESVC)
  • Object > Object Server: Service that executed the process (SC Manager)
  • Requested operation > Privileges: Requested privilege (DELETE)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\services.exe)
  • Object > Object Type: Type of the object to be processed (SERVICE OBJECT)
9 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\PSEXECSVC.EXE-[Random Number].pf)
  • CreationUtcTime: File creation date and time (UTC)

USN journal

# File Name Process
1 PSEXESVC.exe FILE_CREATE
2 PSEXESVC.exe DATA_EXTEND+FILE_CREATE
3 PSEXESVC.exe CLOSE+DATA_EXTEND+FILE_CREATE
4 PSEXESVC.EXE-[RANDOM].pf FILE_CREATE
5 PSEXESVC.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE
6 PSEXESVC.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE
7 PSEXESVC.exe CLOSE+FILE_DELETE

Prefetch


- Details: Source Host

- Event Log

# Event log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CommandLine: Command line of the execution command ([Path to Executable File] [Execution Command])
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the executable file)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to the parent process that created the new process. A record is confirmed on Windows 10 only.
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the executable file)
  • Process Information > Token Escalation Type: Presence of privilege escalation (2)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value. Although it was "\REGISTRY\A\[UUID]\Root\File\[UUID]\40000174b3" when the test was conducted, it may change.
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry. In Windows 7, the data type ("Binary Data", etc.) is displayed. In Windows 10, the value (path to the tool) may be displayed
  • TargetObject: Registry value at the write destination. Although it was "registry key\15 that was created immediately before it was written" when the test was conducted, it may change.
3 Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\[UUID]\Count\CfRkrp.rkr)
4 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Sysinternals\PsExec)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD: 0x00000001)
  • TargetObject: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Sysinternals\PsExec\EulaAccepted)
5 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1000, 0x1478)
  • SourceImage: Path to the access source process (C:\Windows\system32\lsass.exe)
  • TargetImage: Path to the access destination process (path to the tool)
6 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
7 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Users\[User Name]\AppData\Roaming\Microsoft\Crypto\RSA\[User SID], and under that)
  • CreationUtcTime: File creation date and time (UTC)
8 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user (NT_AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (high port)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (445)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Source Address/Source Port: Source IP address/Port number (high port)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Destination Address/Destination Port: Destination IP address/Port number (445)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (outbound)
  • Application Information > Process ID: Process ID (4)
9 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (high port)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (135)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Source Address/Source Port: Source IP address/Port number (high port)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Destination Address/Destination Port: Destination IP address/Port number (135)
  • Application Information > Application Name: Execution process (path to the tool)
  • Network Information > Direction: Communication direction (outbound)
  • Application Information > Process ID: Process ID
10 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (high port)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (high port)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Source Address/Source Port: Source IP address/Port number (high port)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Destination Address/Destination Port: Destination IP address/Port number (high port)
  • Application Information > Application Name: Execution process (path to the tool)
  • Network Information > Direction: Communication direction (outbound)
  • Application Information > Process ID: Process ID
11 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to the tool)
  • Subject > Logon ID: Session ID of the user who executed the process
12 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\[Tool Executable File Name]-[Random Number].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656/4663 File System A handle to an object was requested. / An attempt was made to access an object.
  • Access Request Information > Access: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Tool Executable File Name]-[Random Number].pf)

- USN Journal

# File Name Process Attribute
1 [Executable File Name of Tool]-[RANDOM].pf FILE_CREATE archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 [Executable File Name of Tool]-[RANDOM].pf [Executable File Name of Tool] \VOLUME{[GUID]}\[Path to the Tool] Last Run Time (last execution date and time)

- Registry Entry

# Path Type Value
1 HKEY_USERS\[User SID]\SOFTWARE\Sysinternals\PsExec\EulaAccepted DWORD 0x00000001
2 HKEY_USERS\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{[GUID]}\Count\[ROT13 of Path]\[ROT13 of Executable File Name] Binary [Binary Value]

- Details: Destination Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (445)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (high port)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Source Address/Source Port: Source IP address/Port number (445)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Destination Address/Destination Port: Destination IP address/Port number (high port)
  • Application Information > Application Name: Execution process (System)
  • Network Information > Direction: Communication direction (inbound/acceptance)
  • Application Information > Process ID: Process ID (4)
2 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (System)
  • ProcessGuid/ProcessId: Process ID (4)
  • TargetFilename: Created file (C:\Windows\PSEXESVC.exe)
  • CreationUtcTime: File creation date and time (UTC)
Security 5140 File Sharing A network share object was accessed.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Object Type: Category of the target (File)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Network Information > Source/Source Port: Execution source host/Port number
  • Access Request Information > Access: Requested privilege (ReadData or ListDirectory)
  • Shared Information > Share Name: Share name used (\\*\ADMIN$)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\??\C:\Windows)
  • Access Request Information > Access: Requested privileges (including WriteData or AddFile, and AppendData)
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Shared Information > Relative Target Name: Relative target name from the share path (PSEXESVC.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4656/4663 File System A handle to an object was requested. / An attempt was made to access an object.
  • Access Request Information > Access: Requested privileges (including WriteData and WriteAttributes)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
  • Object > Object Name: Target file name (C:\Windows\PSEXESVC.exe)
3 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version
  • Detailed Authentication Information > Logon Process: Process used for logon (NtLmSsp)
  • Network Information > Source Port: Source port number
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (NTLM)
  • Network Information > Source Network Address: IP address that requested the logon
  • Subject > Logon ID: Session ID of the user who executed the authentication
4 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD: 0x00000010)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC\Type)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD: 0x00000003)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC\Start)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD: 0x00000000)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC\ErrorControl)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (%SystemRoot%\PSEXESVC.exe)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC\ImagePath)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (PSEXESVC)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC\DisplayName)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD: 0x00000001)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC\WOW64)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (LocalSystem)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC\ObjectName)
System 7045 A service was installed in the system. A service was installed in the system.
  • Service start type: Operation of trigger that starts the service (demand start)
  • Service account: Executing account (LocalSystem)
  • Service type: Type of the service to be executed (user mode service)
  • Service Name: Name displayed in the service list (PSEXESVC)
  • Service File Name: Service executable file (%SystemRoot%\PSEXESVC.exe)
5 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\system32\services.exe)
  • CommandLine: Command line of the execution command
  • ParentCommandLine: Command line of the parent process (C:\Windows\system32\services.exe)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\PSEXESVC.exe)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1FFFFF, 0x1400)
  • SourceImage: Path to access source process (C:\Windows\system32\services.exe)
  • TargetImage: Path to the access destination process (C:\Windows\PSEXESVC.exe)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1410, 0x101410)
  • SourceImage: Path to access source process (C:\Windows\system32\svchost.exe)
  • TargetImage: Path to the access destination process (C:\Windows\PSEXESVC.exe)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1000, 0x1478)
  • SourceImage: Path to the access source process (C:\Windows\system32\lsass.exe)
  • TargetImage: Path to the access destination process (C:\Windows\PSEXESVC.exe)
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to the parent process that created the new process. A record is confirmed on Windows 10 only.
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\PSEXESVC.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
System 7036 Service Control Manager The [Service Name] service entered the [Status] state.
  • Status: State after the transition (Running)
  • Service Name: Target service name (PSEXESVC)
6 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\PSEXESVC.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656/4663 File System A handle to an object was requested. / An attempt was made to access an object.
  • Access Request Information > Access: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
  • Object > Object Name: Target file name (C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18, and under that)
7 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (135)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (high port)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Source Address/Source Port: Source IP address/Port number (135)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Destination Address/Destination Port: Destination IP address/Port number (high port)
  • Application Information > Application Name: Execution process (C:\Windows\System32\lsass.exe)
  • Network Information > Direction: Communication direction (inbound/acceptance)
  • Application Information > Process ID: Process ID
8 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (high port)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (high port)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Source Address/Source Port: Source IP address/Port number (high port)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Destination Address/Destination Port: Destination IP address/Port number (high port)
  • Application Information > Application Name: Execution process (C:\Windows\System32\lsass.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Application Information > Process ID: Process ID
9 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\PSEXESVC.exe)
  • Image: Path to the executable file (Path to the executable file that was executed by PsExec)
  • ParentCommandLine: Command line of the parent process (C:\Windows\PSEXESVC.exe)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
Remarks: Another process is executed by PsExec. The subsequent operations depend on the process executed. If the Sysmon Event ID: 5 (Process terminated) for the executed process ID is output, it can be determined that the relevant process terminated.
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to the parent process that created the new process. A record can be confirmed on Windows 10 only (C:\Windows\PSEXESVC.exe)
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file
  • Process Information > Token Escalation Type: Presence of privilege escalation
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
Remarks: Another process is executed by PsExec. The subsequent operations depend on the process executed. If the Event ID: 4689 (Process terminated) for the executed process ID is output, it can be determined that the applicable process terminated.
Security 5140 File Sharing A network share object was accessed.
  • Shared Information > Share Name: Share name used (\\*\IPC$)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Network Information > Source/Source Port: Execution source host/Port number. The source port number that was used first for 445/tcp communication is used as the port number.
Remarks: A share path is provided to output the result to the source.
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Access Request Information > Access: Requested privileges (including WriteData or AddFile)
  • Shared Information > Share Name: Share name (\\*\IPC$)
  • Network Information > Source Address/Source Port: Source IP address/Port number. The source port number that was used first for 445/tcp communication is used as the port number.
  • Shared Information > Relative Target Name: Relative target name from the share path (PSEXESVC)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Object Type: Type of the created object (File)
  • Access Request Information > Access: Requested privileges (including WriteData or AddFile, and AppendData)
  • Shared Information > Share Name: Share name (\\*\IPC$)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Shared Information > Relative Target Name: Relative target name from the share path (PSEXESVC-[Source Host Name]-[Source Process ID]-stdin)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Object Type: Type of the created object (File)
  • Access Request Information > Access: Requested privileges (including ReadData)
  • Shared Information > Share Name: Share name (\\*\IPC$)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Shared Information > Relative Target Name: Relative target name from the share path (PSEXESVC-[Source Host Name]-[Source Process ID]-stdout)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Object Type: Type of the created object (File)
  • Access Request Information > Access: Requested privileges (including SYNCHRONIZE)
  • Shared Information > Share Name: Share name (\\*\IPC$)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Shared Information > Relative Target Name: Relative target name from the share path (PSEXESVC-[Source Host Name]-[Source Process ID]-stderr)
  • Subject > Logon ID: Session ID of the user who executed the process
10 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\PSEXESVC.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\PSEXESVC.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
System 7036 Service Control Manager The [Service Name] service entered the [Status] state.
  • Status: State after the transition (Stopped)
  • Service Name: Target service name (PSEXESVC)
11 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\PSEXECSVC.EXE-[Random Number].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656/4663 File System A handle to an object was requested. / An attempt was made to access an object.
  • Access Request Information > Access: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
  • Object > Object Name: Target file name (C:\Windows\Prefetch\PSEXESVC.EXE-[Random Number].pf)
12 Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD: 0x00000001)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC\DeleteFlag)
Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (DWORD: 0x00000004)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC\Start)
13 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (DeleteKey)
  • Image: Path to the executable file (C:\Windows\system32\services.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PSEXESVC)
Security 4674 Sensitive Privilege Use An operation was attempted on a privileged object.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Name of the object to be processed (PSEXESVC)
  • Object > Object Server: Service that executed the process (SC Manager)
  • Requested operation > Privileges: Requested privilege (DELETE)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\services.exe)
  • Object > Object Type: Type of the object to be processed (SERVICE OBJECT)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 5145 Detailed File Share A network share object was checked to see whether the client can be granted the desired access.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Network Information > Object Type: Type of the created object (File)
  • Shared Information > Share Path: Share path (\\??\C:\Windows)
  • Access Request Information > Access: Requested privilege (DELETE)
  • Shared Information > Share Name: Share name (\\*\ADMIN$)
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Shared Information > Relative Target Name: Relative target name from the share path (PSEXESVC.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4656/4663 File System A handle to an object was requested. / An attempt was made to access an object.
  • Access Request Information > Access: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
  • Object > Object Name: Target file name
Security 4660 File System An object was deleted.
  • Access Request Information > Access: Requested privilege (DELETE)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (Handle ID obtained with immediately prior Event ID 4656)
  • Object > Object Name: Target file name (C:\Windows\PSEXESVC.exe)

- USN Journal

# File Name Process Attribute
1 PSEXESVC.exe FILE_CREATE archive
2 PSEXESVC.exe DATA_EXTEND+FILE_CREATE archive
3 PSEXESVC.exe CLOSE+DATA_EXTEND+FILE_CREATE archive
4 PSEXESVC.EXE-[RANDOM].pf FILE_CREATE archive+not_indexed
5 PSEXESVC.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
6 PSEXESVC.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed
7 PSEXESVC.exe CLOSE+FILE_DELETE archive

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\PSEXESVC.EXE-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 PSEXESVC.EXE-[RANDOM].pf PSEXESVC.EXE \VOLUME{[GUID]}\WINDOWS\PSEXESVC.EXE Last Run Time (last execution date and time)

- Packet Capture

# Process Source Host Source Port Number Destination Host Destination Port Number Protocol/Application
1 Session Setup Request, NTLMSSP_AUTH, User: [User Name] [Source Host] [High Port] [Destination Host] 445 SMB2

[Destination Host] 445 [Source Host] [High Port] SMB2
2 Tree Connect Request Tree: \\[NetBIOS Name at Destination]\ADMIN$ [Source Host] [High Port] [Destination Host] 445 SMB2
Tree Connect Request Tree: \\[NetBIOS Name at Destination Host]\IPC$ [Source Host] [High Port] [Destination Host] 445 SMB2
3 Create Request File: PSEXESVC [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: PSEXESVC [Destination Host] 445 [Source Host] [High Port] SMB2
GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: PSEXESVC [Source Host] [High Port] [Destination Host] 445 SMB2
GetInfo Response [Destination Host] 445 [Source Host] [High Port] SMB2
Ioctl Request FSCTL_PIPE_TRANSCEIVE File: PSEXESVC [Source Host] [High Port] [Destination Host] 445 SMB2
Ioctl Response FSCTL_PIPE_TRANSCEIVE File: PSEXESVC [Destination Host] 445 [Source Host] [High Port] SMB2
Write Request Len:[Length] Off:0 File: PSEXESVC [Source Host] [High Port] [Destination Host] 445 SMB2
Write Response [Destination Host] 445 [Source Host] [High Port] SMB2
4 Create Request File: PSEXESVC-[Source Host Name]-[Source Process ID]-stdin [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: PSEXESVC-[Source Host Name]-[Source Process ID]-stdin [Destination Host] 445 [Source Host] [High Port] SMB2
Close Request File: PSEXESVC-[Source Host Name]-[Source Process ID]-stdin [Source Host] [High Port] [Destination Host] 445 SMB2
5 Create Request File: PSEXESVC-[Source Host Name]-[Source Process ID]-stdout [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: PSEXESVC-[Source Host Name]-[Source Process ID]-stdout [Destination Host] 445 [Source Host] [High Port] SMB2
Close Request File: PSEXESVC-[Source Host Name]-[Source Process ID]-stdout [Source Host] [High Port] [Destination Host] 445 SMB2
6 Create Request File: PSEXESVC-[Source Host Name]-[Source Process ID]-stderr [Source Host] [High Port] [Destination Host] 445 SMB2
Create Response File: PSEXESVC-[Source Host Name]-[Source Process ID]-stderr [Destination Host] 445 [Source Host] [High Port] SMB2
Close Request File: PSEXESVC-[Source Host Name]-[Source Process ID]-stderr [Source Host] [High Port] [Destination Host] 445 SMB2
7 Tree Disconnect Request [Source Host] [High Port] [Destination Host] 445 SMB2
Tree Disconnect Response [Destination Host] 445 [Source Host] [High Port] SMB2
8 Session Logoff Request [Source Host] [High Port] [Destination Host] 445 SMB2
Session Logoff Response [Destination Host] 445 [Source Host] [High Port] SMB2

- Remarks