EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4688Event ID 7045Event ID 4648Event ID 4624T1021.002high

PsExec & Remote Execution — Lateral Movement via Admin Shares

PsExec is a Sysinternals tool that executes commands on remote systems over SMB using admin shares (ADMIN$, C$). It is widely abused by attackers for lateral movement because it requires no additional software on the target — only valid admin credentials and network access.

Severity

High

ATT&CK Tactic

Lateral Movement

Common attacker usage

Executing commands on remote hosts after compromising admin credentials · Deploying ransomware or post-exploitation payloads across multiple machines · Moving laterally from a compromised workstation to a domain controller · Running reconnaissance tools or credential harvesters on target systems · Establishing reverse shells on remote machines

Investigate immediately if

  • !PSEXESVC service (Event ID 7045) appears on any host
  • !4648 (explicit credential logon) + 7045 in the same session
  • !cmd.exe or PowerShell spawned by PSEXESVC or services.exe remotely
  • !Admin share access (5140: ADMIN$) from a non-server workstation
  • !The same source IP accessing multiple hosts via Type 3 (network) logons in quick succession

MITRE ATT&CK

Technique

T1021.002 · SMB/Windows Admin Shares

Tactic

Lateral Movement

View on attack.mitre.org →

Security Relevance

PsExec leaves a distinctive fingerprint: it copies an executable to the ADMIN$ share, registers it as a service (generating Event ID 7045 with service name PSEXESVC), and executes it. Attackers often rename the binary (PAExec, RemCom, or custom variants) but the service registration pattern persists. Combined with a network logon (4624 Type 3) and explicit credential use (4648), this is among the most reliable lateral movement signatures available in Windows event logs.

Indicators of Malicious Use

  • Event ID 7045: New service named PSEXESVC (or variants: PAExec, RemCom)
  • Service binary path pointing to ADMIN$ or a temp-like path (e.g. %SystemRoot%\PSEXESVC.exe)
  • Event ID 4648: Logon using explicit credentials from an unexpected account or source
  • Event ID 5140: Access to ADMIN$ or C$ share from a workstation IP
  • 4624 Type 3 network logon followed immediately by 7045 service install
  • cmd.exe or powershell.exe with parent process services.exe on the target

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  7045  (System log)

A new service was installed in the system.

Service Name:    PSEXESVC
Service File Name: %SystemRoot%\PSEXESVC.exe
Service Type:    User Mode Service
Service Start Type: Demand start
Service Account:   LocalSystem

Investigation Steps

  1. 1.On the target machine: check Event ID 7045 for PSEXESVC or renamed variants (search for services installed in the ADMIN$ path).
  2. 2.On the target: check Event ID 4624 for Type 3 logons from the source IP around the same time as the service install.
  3. 3.On the source machine: check Event ID 4648 to identify which account was used for the explicit credential logon.
  4. 4.Check Event ID 5140 (network share access) for ADMIN$ access from the source around the same time.
  5. 5.Follow the command the attacker ran: check 4688 on the target for processes spawned by PSEXESVC or services.exe.
  6. 6.Identify the scope — search all hosts for PSEXESVC service installations within the same time window.
  7. 7.Check whether the source machine itself was recently compromised (check for its own 4688 anomalies or 4625 spikes).

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Common False Positives

  • Legitimate IT use of PsExec for remote administration or software deployment
  • SCCM or other management tools using similar SMB-based remote execution
  • Security teams running PsExec during authorized penetration testing

Remediation

  • Block PsExec and admin shares at the host firewall where not needed (disable File and Printer Sharing on workstations).
  • Restrict admin share access using Windows Firewall rules or network segmentation.
  • Rotate all credentials for the account used in the lateral movement.
  • Audit all hosts that the source machine could have reached and check for PSEXESVC service installs.
  • Implement LAPS (Local Administrator Password Solution) to prevent pass-the-hash lateral movement via local admin accounts.
  • Deploy ASR rule: Block credential stealing from the Windows local security authority subsystem.

Related Event IDs

7045Service installed — PSEXESVC or renamed variant is the smoking gun
4648Explicit credential logon — how the attacker authenticated to the target
5140Network share access — ADMIN$ access precedes PsExec execution
4624Successful logon — Type 3 network logon on the target

Related Detection Guides

Lateral MovementCredential DumpingPrivilege EscalationEvent ID 7045 — Suspicious Service Installed

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →