SysInternals

Logged-in Users

.\PsLoggedon.exe \\web01

PsExec

PsExec is a SysInternals tool for remote process execution over Windows systems, often used for lateral movement by attackers. It requires:

1. Admin privileges on the taget machine

2. An accessible ADMIN$ share

3. Enabled File and Printer Sharing.

The last two requisites are met by default on modern Windows environments. However, PsExec is not installed by default on Windows.

Behind the scenes PsExec's workflow is as follows:

1. Writes psexesvc.exe to the remote machine’s C:\Windows directory.

2. Creates a temporary service (psexesvc) to execute commands.

3. Runs the specified command as a child process of psexesvc.exe.

PsExec enables lateral movement and interactive remote control, assuming administrative access, without triggering outbound connections from the target.

In the following scenario, offsec is local administrator on CLIENT74, getting an interactive shell as jen who is a Domain Admin.

> .\PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd

Microsoft Windows [Version 10.0.20348.169]
C:\Windows\system32>hostname
FILES04

C:\Windows\system32>whoami
corp\jen

Resources

Documentation

Sysinternals Suite - Sysinternalsdocsmsft