MalwareRansomwareUsed by 36 actors

PsExec

PsExec is a legitimate Microsoft Sysinternals remote administration utility that is frequently abused by threat actors for remote command execution and lateral movement in Windows environments. Across the provided content, it is repeatedly associated with SMB/administrative share usage, remote service creation and execution, lateral tool transfer, and installation of the PSEXESVC service. It is commonly used alongside credential theft tools such as Mimikatz and with WMI/WMIC or Impacket after initial access via phishing, exploitation of public-facing applications, stolen VPN credentials, or other footholds.

The content shows PsExec used broadly in ransomware intrusions and enterprise compromises. Multiple ransomware operators and affiliates are described using PsExec for lateral movement and remote deployment, including BlackCat/ALPHV affiliates, Interlock, The Gentlemen, Storm-2603, and other RaaS actors. Reported use cases include copying and executing ransomware via batch scripts, encrypting remote Windows devices, deploying payloads through administrative shares, and distributing malware or ransomware through services or Group Policy. The Gentlemen ransomware notably embeds or drops PsExec, stages it to C:\Temp\psexec.exe, and when spreading is enabled attempts numerous remote execution operations per target using PsExec, WMIC, scheduled tasks, services, PowerShell remoting, and WMI. Interlock used hardcoded PsExec commands with compromised domain administrator credentials for large-scale ransomware deployment. Storm-2603 used PsExec with Impacket and WMI after exploiting on-premises SharePoint vulnerabilities, then distributed Warlock ransomware via Group Policy Objects.

The content also ties PsExec to destructive and worm-like malware behavior. NotPetya contained an embedded PsExec tool and used stolen credentials with PsExec and WMIC to propagate laterally across internal Windows networks after initial distribution through the compromised MeDoc update mechanism. In other intrusions, actors installed the PSEXESVC service on multiple servers, dropped PsExec binaries to paths such as C:\Intel\PsExec.exe, or used renamed copies to evade detection.

Associated threat actors and groups explicitly mentioned in connection with PsExec include FIN6, Silence, Storm-2603, GOLD SALEM, Volt Typhoon-related tradecraft references, BlackCat/ALPHV affiliates, and multiple ransomware crews such as LockBit, BlackByte, Ryuk, Royal, Akira, and others in ATT&CK-style mappings and detection content. The content also notes that modified or renamed versions of PsExec have been used, including by Silence, and that defenders monitor for renamed PsExec execution and first-time execution with the accepteula flag.

High-confidence indicators and forensic artifacts directly mentioned include the PSEXESVC service, dropped binaries at C:\Temp\psexec.exe and C:\Intel\PsExec.exe, executable staging to ADMIN$, C$, and IPC$ shares, and IOC references containing PsExec hashes. Detection-relevant telemetry cited in the content includes Windows Security Event ID 5145 for executable writes to administrative SMB shares, Event ID 4624 Type 3 network logons, Event ID 4688 and Sysmon Event ID 1 for process creation, and process metadata where the original file name remains PsExec even if the executable has been renamed.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

36 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BlackCat

C:\Intel\PsExec.exe ... PsExec

via sygniasygnia.co

Storm-2603

The actor moves laterally using PsExec and the Impacket toolkit, executing commands using Windows Management Instrumentation (WMI).

via microsoft generalmicrosoft.com

Twelve

Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation.

via the hacker newsthehackernews.com

warlock_group

GOLD SALEM has been observed using PsExec and Impacket (WMI) for lateral movement within compromised environments.

via secureworks threat profilessecureworks.com

APT29

"...publicly available utilities like PsExec, to move laterally within compromised networks."

via picus security blogpicussecurity.com

Storm-0506

"The actor was also observed to use PsExec to encrypt devices that are not hosted on the ESXi hypervisor."

via microsoft security blogmicrosoft.com

Chimera

Microsoft Sysinternals PsExec is a popular administration tool that can be used to execute binaries on remote systems using a temporary Windows service.

via mitre attackattack.mitre.org

Kimsuky

Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.

via mitre attackattack.mitre.org

FIN6

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.

via mitre attackattack.mitre.org

Silence

Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.

via mitre attackattack.mitre.org

Velvet Ant

The following analytic identifies instances where PsExec.exe has been renamed and executed on an endpoint. ... renaming PsExec.exe is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network.

PsExec

Hunt this family in your stack

Groups observed using it

Techniques & procedures

Other

Recent activity

The version that knows your environment.