PSExec

Administrator rights on the target machine are mandatory.

PSExec is part of the Sysinternals tool suite and has been reimplemented in the Impacket suite (works almost the same way). The tool is a Microsoft-signed binary, which makes it generally reliable in most Windows environments. It executes commands on a remote system by:

  1. Connecting to shared folder ADMIN$=C:\Windows

  2. Upload a PSEXECSVC.exe file.

  3. Then uses the Service Control Manager (sc) to start the binary service (the SysInternals PsExec starts a service that is named PsExeSvc by default whereas Impacket’s psexec.py tool spawns a process with a randomly generated 4-characters name) as NT\SYSTEM.

  4. Creates a named pipe on the target and uses it for I/O operations.

  5. Runs the program under a parent process of psexecsvc.exe. The parent process of psexecsvc.exe is services.exe.

  6. When its task is completed, the Windows PsExecSVC service will be stopped and the PSEXESVC.exe file will be deleted from ADMIN$.

In general, most defensive tool will detect (or at least have the ability to detect) lateral movement via PSExec.

psexec.exe /accepteula \\<IP> -u DOMAIN\USERNAME -p PASSWORD cmd.exe

Detection

Given that psexecsvc.exe is downloaded to the target's network share (ADMIN$), It is possible to correlate events such as:

  1. File creation

  2. Installation of service.

  3. Starting a process.

Logs:

  • Id 5145 from the Windows event log (access to the network share has been verified) will be recorded.

  • Id 7045 for the initial installation of the service will also be recorded.

  • The existence of the psexecsvc.exe file is an indication that psexec was used to gain access to the target machine.

  • Id 4697service created on a system.

psexec_psh, used by CobaltStrike, does not copy a binary to the target, but executes a single-line PowerShell (always 32-bit).

Reference(s)

Last updated