PsExec - consoletornado.com

> [!Info] > This page is currently a work in progress. ## What is PsExec? PsExec is a Microsoft Sysinternals tool that allows remote execution of processes on another system. --- ## How does PsExec Work? - Uses SMB (445/139) to authenticate to hosts using admin creds, to remotely execute code. - To do this it pushes a temporary service to the target system (`psexesvc.exe`). - The temporary service is executed and the remote command is sent through a named pipe with the output sent back through it. --- ## What Is It Used For? Utilised by admins for remote management across hosts however commonly abused by threat actors and can be used for lateral movement activity. --- ## Similar Tools - [RemCom](https://github.com/kavika13/RemCom) - An open source PsExec. - [PAExec](https://www.poweradmin.com/paexec/) - Another open source version of PsExec targeted towards PowerAdmin server management. - [CSExec](https://github.com/malcomvetter/CSExec) - PsExec but written in C#. --- ## Threat Hunting PsExec ### Process Artifacts - Look for processes spawning from `services.exe` or `PsExeSvc.exe` on the target's machine. - Additionally look for instances of named pipes. - Named Pipe Examples: - `\\.\pipe\psexesvc` - `\\.\pipe\remcom_comunication` - `\\.\pipe\paexec-process-id-computer-name` - `\\.\pipe\csexecsvc` - Note: If Metasploit is used, a custom or name can be given to the pipe. - I.e. `\\.\pipe\lGDQirgp.exe` ### Registry Artifacts If registry key, `HKEY_CURRENT_USER\software\sysinternals\psexec\eulaaccepted` is present, may indicate PsExec has been used. ### File Analysis As binaries are often pre-compiled, this metadata is unlikely to change in most circumstances. - Binary Metadata: - Internal Names: - PsExec.exe: `PsExec`, `remcom`, `PAExec` - PsExeSvc.exe: `PsExec Service Host`, `PsExeSvc`, `RemCom Service`, `RemComSvc` `paexec`. ### Windows Event Logs - Event 7045 - "A new service was installed in the system." - Triggers immediately upon installation. - Provides initial install info. - Event 4697 - "A service was installed in the system". - Triggers on successful completion. - Provides more in-depth service config info. - Event 4688 - "A new process has been created". - Correlate with parent process of `services.exe` or `PsExeSvc.exe`. ### Network Analysis Look for suspicious or correlating SMB traffic over ports 139/445.