The tool works only under certain conditions where file and printer sharing is enabled on both the local and remote computer, and where the remote machine has the $admin share set up correctly to provide access to its \Windows\ folder. It supports all versions of Windows since Windows XP.
Adversaries may use psexec to perform lateral movement. With this free sigma rule, you can detect enabling RDP with psexec.
title: Using Psexec to enable RDP
description: PsExec is a software published by microsoft that can be used to perform lateral movement. With this rule you can detect psexec activity that try to enable RDP.
CommandLine: ‘”HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” Iv
fDenyTSConnections It REG_DNORD Id 9 /f‘
condition: selection 1