PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that these applications appear to be running locally. It allows administrators to run programs on local and more commonly remote computers. By providing the address of a target host, a valid user and a password, you can get control of a machine remotely.
The tool works only under certain conditions where file and printer sharing is enabled on both the local and remote computer, and where the remote machine has the $admin share set up correctly to provide access to its \Windows\ folder. It supports all versions of Windows since Windows XP.
Adversaries may use psexec to perform lateral movement. With this free sigma rule, you can detect enabling RDP with psexec.
title: Using Psexec to enable RDP
description: PsExec is a software published by microsoft that can be used to perform lateral movement. With this rule you can detect psexec activity that try to enable RDP.
CommandLine: ‘”HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” Iv
fDenyTSConnections It REG_DNORD Id 9 /f‘
condition: selection 1