```yaml title: Remote PsExec Service Execution id: edr-win-lat-remote-psexec status: stable description: > Detects child process spawning from PSEXESVC.exe — the PsExec service-side component that runs on target systems during remote execution. When PsExec is used for lateral movement, PSEXESVC.exe is the parent of all remotely executed commands on the target. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec - https://thedfirreport.com/2024/08/26/blacksuit-ransomware/ author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.lateral_movement - attack.execution - attack.t1021.002 - attack.t1569.002 logsource: category: process_creation product: windows detection: selection: ParentImage|endswith: '\psexesvc.exe' filter_local: ParentImage|endswith: '\psexec.exe' filter_service: Image|endswith: '\net.exe' CommandLine|contains: - 'start' - 'stop' condition: selection and not filter_local and not filter_service falsepositives: - System administrators using PsExec for remote management - Software deployment tools leveraging PsExec level: low ```