AhnLab EPP

Subscribe
Download 352
Last updated Dec 2, 2025

PsExec Detected

Detects attempts to execute PsExec in AhnLab EPP V3 malware alert logs.

Query

The AhnLab V3 antivirus engine detects PsExec execution attempts with signatures such as Downloader/LNK.PsExec. Therefore, alerts containing the string PsExec in the signature field are extracted.

| search signature == "*PsExec*"

Message

  • PsExec Detected: Host $host_ip, Malware $signature

Output Field Order

  • _log_time, hostname, host_ip, emp_name, dept_name, signature, file_path, file_status, md5

Threat Analysis

  • PsExec provides remote command execution and service creation capabilities, allowing an attacker who has compromised an internal endpoint to perform remote code execution (RCE), privilege escalation, and lateral movement.
  • Ransomware groups have been observed using PsExec to distribute payloads simultaneously to multiple systems within the same network.
  • When PsExec activity is detected by AhnLab V3, it indicates that malicious actions may already be occurring within the internal network and requires immediate investigation.

False Positive

  • IT operations teams may legitimately use PsExec for remote troubleshooting, software deployment, or maintenance tasks.
  • However, PsExec usage is extremely rare on general user endpoints, so the likelihood of false positives is low.

Response Actions

  • Verify whether the PsExec execution attempt was part of an approved task, and review the initiating account’s IP address and command execution history.
  • If the PsExec activity was not authorized, isolate the affected endpoint and investigate for potential administrator account compromise.
  • Analyze related events occurring around the same time, such as remote service creation, suspicious process execution, or unusual network connections.
  • Strengthen EDR/firewall policies to block PsExec execution if necessary, and review organizational guidelines for remote administration tools.

MITRE ATT&CK