PsExec Usage
PS Exec Executions
Query
DeviceProcessEvents
// Collect all executed psexec commands
| where ProcessCommandLine contains "psexec.exe"
// Extract the remove device
| extend RemoteDevice = extract(@'\\\\(.*)c:', 1, ProcessCommandLine)
// If in your device onboarding Enable-PsRemoting is executed filter the line below
//| where not(ProcessCommandLine has_all ('powershell -command "Enable-PsRemoting -Force"', 'psexec.exe'))
// Collect stats and lists with remote devices and executed commands
| summarize TotalRemoteDevices = dcount(RemoteDevice), RemoteDeviceList = make_set(RemoteDevice), ExecutedCommands = make_set(ProcessCommandLine) by DeviceName
| sort by TotalRemoteDevicesAbout this query
Explanation
This query is designed to help investigate the use of the PsExec tool, which is used to execute commands on remote devices. While PsExec can be used legitimately by system administrators, it can also be exploited by attackers for malicious purposes. The query aims to identify all instances where PsExec has been executed, focusing on the devices that initiated these remote commands.
Here's a simplified breakdown of what the query does:
-
Data Source: It looks at
DeviceProcessEvents, which logs process-related activities on devices. -
Identify PsExec Usage: The query filters for any command lines that include "psexec.exe", indicating the use of the PsExec tool.
-
Extract Remote Device Information: It extracts the names of the remote devices that were targeted by PsExec commands.
-
Optional Filtering: There's an optional filter to exclude cases where PsExec is used in conjunction with enabling PowerShell remoting (
Enable-PsRemoting), which might be part of legitimate administrative tasks. -
Summarize Findings: The query summarizes the data by listing:
- The total number of unique remote devices accessed by each initiating device.
- A list of these remote devices.
- The specific commands executed using PsExec.
-
Sort Results: Finally, it sorts the results based on the number of remote devices accessed, which can help prioritize investigation efforts.
This query is a hunting tool, not a detection rule, meaning it's intended to help analysts start an investigation into why a device is using PsExec, potentially uncovering unauthorized or suspicious activity.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators