Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 36 actors

PsExec

PsExec is a legitimate Microsoft Sysinternals remote administration utility that is widely abused by threat actors for remote command execution and lateral movement in Windows environments. The provided content consistently describes PsExec being used to copy and launch binaries through SMB administrative shares such as ADMIN$ and C$, often by creating the PSEXESVC service or other remote services; Windows System Event ID 7045 is repeatedly identified as a primary indicator of PsExec-based lateral movement and service installation. The tool can also be used with the -s argument to run as SYSTEM, and some malware embeds and drops a copy of PsExec (for example to C:\Temp\psexec.exe). The content associates PsExec with ransomware propagation and post-compromise operations by multiple actors and campaigns, including Conti, Black Basta, Akira, LockBit, GOLD SALEM / Storm-2603 during Warlock ransomware intrusions, The Gentlemen ransomware, BlackCat/ALPHV-affiliated activity, and NotPetya. Observed tradecraft includes use alongside Mimikatz, Impacket, WMIC/WMI, WinRM, Cobalt Strike, administrative shares, and Group Policy Objects to spread payloads, execute commands remotely, and encrypt additional systems. Detection-relevant artifacts mentioned in the content include the PSEXESVC service, executable staging to administrative SMB shares, renamed PsExec binaries, command lines containing accepteula, paths such as C:\Intel\PsExec.exe and C:\Temp\psexec.exe, and IOC references including PsExec hashes.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

36 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Storm-2603

Microsoft also observed the use of PsExec and Impacket for lateral movement and the use of Group Policy Objects (GPO) to deploy the Warlock payload.

via sophos threat researchnews.sophos.com
BlackCat

C:\Intel\PsExec.exe ... PsExec

via sygniasygnia.co
Twelve

Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation.

via the hacker newsthehackernews.com
warlock_group

GOLD SALEM has been observed using PsExec and Impacket (WMI) for lateral movement within compromised environments.

via secureworks threat profilessecureworks.com
APT29

"...publicly available utilities like PsExec, to move laterally within compromised networks."

via picus security blogpicussecurity.com
Storm-0506

"The actor was also observed to use PsExec to encrypt devices that are not hosted on the ESXi hypervisor."

via microsoft security blogmicrosoft.com
+30 more in the app
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1078Valid AccountsEvidence1

We are given initial access with credentials jdoe \ Summer2026!

T1078.002Domain AccountsEvidence1

GPP XML artifacts revealing DSSAT domain-admin accounts, including Admin_APS4, SCCMSystemgroup and CMClientPushSrv; use of RCIVIL\maturano credentials for PsExec lateral movement.

T1133External Remote ServicesEvidence2

[*] 192.168.159.10:445 - Connecting to the server... [*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...

Execution

2 techniques
T1059.003Windows Command ShellEvidence1

About three weeks after the initial compromise of the network, the attackers were seen using a command prompt and PsExec for lateral movement.

T1569.002Service ExecutionEvidence3

Use the new service executable template technique ... /out:template_x64_windows_svc.exe ... exploit(windows/smb/psexec) ... [*] 192.168.159.10:445 - Uploading payload... PBBcIdul.exe ... [+] 192.168.159.10:445 - Service started successfully...

Persistence

4 techniques
T1078Valid AccountsEvidence1

We are given initial access with credentials jdoe \ Summer2026!

T1078.002Domain AccountsEvidence1

GPP XML artifacts revealing DSSAT domain-admin accounts, including Admin_APS4, SCCMSystemgroup and CMClientPushSrv; use of RCIVIL\maturano credentials for PsExec lateral movement.

T1133External Remote ServicesEvidence2

[*] 192.168.159.10:445 - Connecting to the server... [*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...

T1543.003Windows ServiceEvidence2

What Windows Event ID in the System log indicates a new service has been installed? 7045

Privilege Escalation

3 techniques
T1078Valid AccountsEvidence1

We are given initial access with credentials jdoe \ Summer2026!

T1078.002Domain AccountsEvidence1

GPP XML artifacts revealing DSSAT domain-admin accounts, including Admin_APS4, SCCMSystemgroup and CMClientPushSrv; use of RCIVIL\maturano credentials for PsExec lateral movement.

T1543.003Windows ServiceEvidence2

What Windows Event ID in the System log indicates a new service has been installed? 7045

Stealth

2 techniques
T1078Valid AccountsEvidence1

We are given initial access with credentials jdoe \ Summer2026!

T1078.002Domain AccountsEvidence1

GPP XML artifacts revealing DSSAT domain-admin accounts, including Admin_APS4, SCCMSystemgroup and CMClientPushSrv; use of RCIVIL\maturano credentials for PsExec lateral movement.

Credential Access

1 technique
T1003.002Security Account ManagerEvidence1

One such utility is reg.exe, which allows administrators to interact with the Registry hives. This utility can be used to 'dump' or save copies of the Registry hive files... This command is then repeated for the Software and SAM Registry hives.

Lateral Movement

4 techniques
T1021Remote ServicesEvidence12

T1021 Remote Services Native remote services are abused for lateral movement. LoTL usage ▸ FIN7 used PsExec across banking networks ▸ Carbanak relied on RDP and SMB for internal spread

T1021.002SMB/Windows Admin SharesEvidence20

ls \\192.168.13.100\C$\Users\Administrator\Desktop cat \\192.168.13.100\C$\Users\Administrator\Desktop\flag5.txt | What Event ID in the System log is the primary indicator of PsExec-based lateral movement? 7045

T1550.002Pass the HashEvidence1

What technique allows you to authenticate using an NTLM hash without knowing the plaintext password? Pass-the-Hash

T1570Lateral Tool TransferEvidence5

Makop ransomware operators extensively use off-the-shelf open-source and freeware tools to conduct lateral movement and system discovery.

Other

1 technique
T1562Impair DefensesEvidence1

The attackers typically use them to try to disable AV products.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app11 days ago
hash.sha256●●●●●●●●●●●●View more in app3 years ago
ACTIVITY FEED

Recent activity

51 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

51 SOURCESView more in app
codebyNews
Jun 23, 2026
Атаки на endpoint management: TTP 2026 и detection

Легитимный инструмент удалённого администрирования, используемый для lateral movement через SMB/Admin$ и запуска полезной нагрузки на удалённых системах; в тексте прямо указан как основной инструмент распространения ransomware у ряда групп.

Read more
medium happycamper84News
Jun 15, 2026
Intro to AD Lateral Movement Walkthrough | by Rich | Jun, 2026 | Medium

PsExec is used for lateral movement and remote command execution, including obtaining a shell on the domain controller after pass-the-hash authentication.

Read more
codebyNews
May 29, 2026
Детектирование lateral movement ML: модели и SIEM

Legitimate remote execution utility abused for lateral movement and, in the described attack chain, for spreading ransomware.

Read more
microsoft generalNews
May 28, 2026
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor | Microsoft Security Blog

Legitimate Sysinternals remote execution tool embedded and used by The Gentlemen to execute payloads remotely during lateral movement and propagation.

Read more
+46 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution36

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.