Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1136 | .002 | Create Account: Domain Account |
PsExec has the ability to remotely create accounts on target systems.[3] |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
PsExec can leverage Windows services to escalate privileges from administrator to SYSTEM with the |
Enterprise | T1570 | Lateral Tool Transfer |
PsExec can be used to download or upload a file over a network share.[4] |
|
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
PsExec, a tool that has been used by adversaries, writes programs to the |
Enterprise | T1569 | .002 | System Services: Service Execution |
Microsoft Sysinternals PsExec is a popular administration tool that can be used to execute binaries on remote systems using a temporary Windows service.[1] |
ID | Name | References |
---|---|---|
G1017 | Volt Typhoon | |
G0010 | Turla | |
G0114 | Chimera | |
G0006 | APT1 | |
G0076 | Thrip |
Thrip used PsExec to move laterally between computers on the victim’s network.[9] |
G1009 | Moses Staff | |
G0098 | BlackTech | |
G0003 | Cleaver | |
G0105 | DarkVishnya | |
G1032 | INC Ransom | |
G0034 | Sandworm Team | |
G0125 | HAFNIUM | |
G1024 | Akira | |
G0087 | APT39 | |
G1040 | Play | |
G0053 | FIN5 | |
G0037 | FIN6 | |
G0119 | Indrik Spider | |
G0088 | TEMP.Veles | |
G0094 | Kimsuky | |
G0093 | GALLIUM | |
G0016 | APT29 | |
G1003 | Ember Bear |
Ember Bear has used PsExec through frameworks such as Impacket for remote command execution.[36] |
G0008 | Carbanak | |
G0077 | Leafminer | |
G0061 | FIN8 | |
G0117 | Fox Kitten | |
G0035 | Dragonfly | |
G0059 | Magic Hound | |
G0049 | OilRig | |
G0080 | Cobalt Group | |
G0019 | Naikon | |
G0028 | Threat Group-1314 | |
G0045 | menuPass | |
G0102 | Wizard Spider |
ID | Name | Description |
---|---|---|
C0004 | CostaRicto |
During CostaRicto, threat actors used PsExec.[57] |
C0002 | Night Dragon |
During Night Dragon, threat actors used PsExec to remotely execute droppers.[58] |
C0023 | Operation Ghost |
For Operation Ghost, APT29 used PsExec for lateral movement on compromised networks.[35] |
C0014 | Operation Wocao |
During Operation Wocao, threat actors used PsExec to interact with other systems inside the internal network.[59] |