PsExec is a lightweight telnet-replacement utility that allows you to execute processes on other systems, complete with full interactivity for console applications.
While it was originally designed as an administrative tool within the Sysinternals suite, it has become a staple for lateral movement in penetration testing because it allows an attacker to run commands on a remote host using valid credentials.
Why It’s a Security Goldmine
-
System Privileges: By default, PsExec can execute processes as the SYSTEM account, which is the highest privilege level on a Windows machine.
-
No Client Software: You don’t need to install any agent on the target machine; it only requires that File and Printer Sharing (Server Message Block (SMB)) is enabled and that you have administrative access to the
Admin$share. -
Interactivity: Unlike many remote execution tools, PsExec allows you to interact with the remote command prompt as if you were sitting at the machine.
How It Works (The Mechanics)
-
Authentication: PsExec authenticates to the remote machine via Server Message Block (SMB) (Port 445).
-
Service Deployment: It copies an executable named
PSEXESVC.exeto the remoteAdmin$share. -
Execution: It starts the service on the remote machine, which then executes the command you requested.
-
Cleanup: Once the command is finished, PsExec stops the service and deletes the executable from the remote machine.
Common Commands
To use PsExec, you typically run it from your local command prompt targeting a remote IP or hostname.
| Command | Description |
|---|---|
psexec \\[Target_IP] cmd.exe | Remote Shell: Opens an interactive command prompt on the target machine. |
psexec -s \\[Target_IP] [command] | Run as SYSTEM: Executes the specified command with SYSTEM privileges. |
psexec -u [User] -p [Pass] \\[Target_IP] [cmd] | Auth: Runs the command using specific credentials. |
psexec -c \\[Target_IP] [local_exe] | Copy & Run: Copies an executable from your machine to the target and runs it. |
⚠️ Security & Detection
-
Signatures: Because PsExec is so commonly used by ransomware and APTs (Advanced Persistent Threats), many Antivirus/EDR solutions will flag the creation of the
PSEXESVCservice as a high-alert event. -
The “PaExec” Alternative: If standard PsExec is blocked, attackers sometimes use PaExec, an open-source clone that performs the same functions but might have different file signatures.
-
Lateral Movement: In a PenTest+ context, PsExec is the primary example of lateral movement—once you have an admin’s password or hash, you use it to “jump” to other servers in the domain.
PsExec (Sysinternals)
📝 Overview
What it is: A native-like Windows utility that allows for remote command execution without requiring manual software installation on the target. Target Phase: Lateral Movement / Post-Exploitation Operating System: Windows (Native tool but requires download)
⚙️ Core Capabilities
- SYSTEM Access: Easily elevates to the highest local privileges.
- Remote Shell: Provides an interactive CLI on remote hosts via SMB.
- Agentless: Relies on standard Windows shares (Admin$).
💻 Common Commands
| Command | Description |
|---|---|
psexec \\10.0.0.5 cmd | Interactive shell on target. |
psexec -s \\10.0.0.5 whoami | Runs ‘whoami’ as SYSTEM. |
🏷️ Tags
PsExec CLItool LateralMovement Windows PostExploitation Sysinternals PenTestPlus