Psexecsvcpy Detection

// Detecting psexecsvc.py // https://sensepost.com/blog/2025/psexecing-the-right-way-and-why-zero-trust-is-mandatory/ // https://github.com/sensepost/susinternals let QueryPeriod = 1h; let DeviceWithPSEXECSVC = DeviceFileEvents | where Timestamp > ago(QueryPeriod) | where FolderPath has "\\ADMIN$" | where ActionType == "FileCreated" | where FileName has "PSEXECSVC" | project DeviceId; DeviceEvents | where Timestamp > ago(QueryPeriod) | where ActionType == "ServiceInstalled" | where parse_json(AdditionalFields)["ServiceName"] has "PSEXECSVC" or InitiatingProcessVersionInfoOriginalFileName == "PSEXECSVC1.9.exe" | where DeviceId has_any(DeviceWithPSEXECSVC)

Explanation

This query is designed to detect the use of a tool called "psexecsvc.py," which is often associated with remote execution activities. Here's a simplified explanation of what the query does:

Define a Time Frame: The query looks at events that occurred within the last hour (QueryPeriod = 1h).
Identify Devices with PSEXECSVC File Creation:
- It searches for file events where a file was created in the \\ADMIN$ folder.
- Specifically, it looks for files with names containing "PSEXECSVC."
- It collects the IDs of devices where such file creation events occurred (DeviceWithPSEXECSVC).
Detect Service Installation Events:
- It examines service installation events within the same time frame.
- It checks if the service name in the additional fields contains "PSEXECSVC" or if the initiating process's original file name is "PSEXECSVC1.9.exe."
- It filters these events to only include those occurring on devices identified in the previous step (DeviceWithPSEXECSVC).

In essence, the query is looking for evidence of the "psexecsvc.py" tool being used on devices by checking for specific file creation and service installation patterns.

KQL Search

Psexecsvcpy Detection

Query

Explanation

Details

Actions