SysInternals
.\PsLoggedon.exe \\web01PsExec is a SysInternals tool for remote process execution over Windows systems, often used for lateral movement by attackers. It requires:
Admin privileges on the taget machine
An accessible
ADMIN$shareEnabled File and Printer Sharing.
The last two requisites are met by default on modern Windows environments. However, PsExec is not installed by default on Windows.
Behind the scenes PsExec's workflow is as follows:
Writes
psexesvc.exeto the remote machine’sC:\Windowsdirectory.Creates a temporary service (
psexesvc) to execute commands.Runs the specified command as a child process of
psexesvc.exe.
PsExec enables lateral movement and interactive remote control, assuming administrative access, without triggering outbound connections from the target.
In the following scenario, offsec is local administrator on CLIENT74, getting an interactive shell as jen who is a Domain Admin.
> .\PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd
Microsoft Windows [Version 10.0.20348.169]
C:\Windows\system32>hostname
FILES04
C:\Windows\system32>whoami
corp\jenResources
Last updated
Was this helpful?