Lateral Movement with Psexec

A very old and noisy lateral movement technique can be performed using psexec by SysInternals.

Execution

Let's connect from workstation ws01 to the domain controller dc01 with domain administractor credentials:

attacker@victim

.\PsExec.exe -u administrator -p 123456 \\dc01 cmd

Observations

The technique is noisy for at least a couple of reasons. Upon code execution, these are some well known artefacts that are left behind which will most likely get you flagged in an environment where SOC is present.

A psexesvc service gets created on the remote system and below shows the process ancestry of your command shell:

Proving that psexec is actually running as a service:

Additionally, there is quite a bit of SMB network traffic generated when connecting to a remote machine which could be signatured:

PreviousEmpire Shells with NetNLTMv2 Relaying NextFrom Beacon to Interactive RDP Session

Last updated 5 years ago