Adversaries may be using remote execution via PsExec service to deploy ransomware and evade detection by tampering with antivirus components. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ransomware activity before significant data loss occurs.
KQL Query
// Searches for remote batch file launch using PSEXESVC.exe
DeviceProcessEvents
| where InitiatingProcessParentFileName startswith "psexe"
| where InitiatingProcessCommandLine has ".bat"
| where ProcessCommandLine has "DisableIOAVProtection"
id: 6941f6b3-9e08-4f45-ac26-fe4a23d4d613
name: cypherpunk-remote-exec-w-psexesvc
description: |
This query was originally published in the threat analytics report, Cypherpunk ransomware leaves wake of tampered AVs.
Cypherpunk is a human-operated ransomware campaign named after the unusual .cypherpunk extension given to encrypted files. The attackers often used PSEXESVC, a service that helps the PsExe.exe utility run commands on a remote device. Both PSEXESVC and PsExe.exe are legitimate parts of Windows; however, they can be repurposed by attackers to perform malicious actions.
The query below can find instances of PSEXESVC being used to launch batch files, as often occurred in Cypherpunk attacks.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Ransomware
query: |
// Searches for remote batch file launch using PSEXESVC.exe
DeviceProcessEvents
| where InitiatingProcessParentFileName startswith "psexe"
| where InitiatingProcessCommandLine has ".bat"
| where ProcessCommandLine has "DisableIOAVProtection"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate remote execution via PsExec for administrative tasks
Description: A system administrator uses PsExec to remotely execute a script or configuration update across multiple servers.
Filter/Exclusion: process.parent_process_name != "psexesvc.exe" or process.parent_process_image != "C:\Windows\System32\psexesvc.exe"
Scenario: Scheduled job using PsExec to deploy software updates
Description: A scheduled task runs a PowerShell script via PsExec to push out software updates to endpoints.
Filter/Exclusion: process.parent_process_name != "psexesvc.exe" or process.parent_process_image != "C:\Windows\System32\psexesvc.exe" and process.name != "powershell.exe"
Scenario: Remote PowerShell execution for patch management
Description: A security tool or patch management system uses PsExec to run PowerShell commands remotely to apply patches.
Filter/Exclusion: process.parent_process_name != "psexesvc.exe" or process.parent_process_image != "C:\Windows\System32\psexesvc.exe" and process.name == "powershell.exe"
Scenario: System cleanup using PsExec for orphaned processes
Description: An IT team uses PsExec to clean up orphaned processes or stale services across the network.
Filter/Exclusion: process.parent_process_name != "psexesvc.exe" or process.parent_process_image != "C:\Windows\System32\psexesvc.exe" and process.name != "taskkill.exe"
Scenario: Remote service configuration via PsExec for compliance checks
Description: A compliance tool uses PsExec to configure services or check configurations on remote machines.
Filter/Exclusion: `process.parent_process_name != “psexesvc