💥 PsExec
🧠What’s the Deal?​
PsExec is a classic AD lateral movement tool (originally from Sysinternals). It works by abusing Windows services + SMB
How does it work​
- PsExec connects to the ADMIN$ share on the target using SMB.
- It uploads a temporary service executable
(PSEXESVC.exe)toC:\Windows. - It creates and starts a Windows service
(PSEXESVC)remotely using theService Control Manager (SCM).Which executes the attacker's provided command with system Privilege. - PsExec redirects stdout/stderr back to the attacker’s console over SMB.
- After execution, the service is deleted.
🧰 Gear Up (Prereqs)​
Below are the requirements for performing this attack
- Attacker must already have valid user(part of Administrators local group) credentials (NTLM hash, password, or Kerberos ticket) be for the remote target machine.
- ADMIN$ share must be available
- File and Printer Sharing has to be turned on
🚀 Launch Sequence (How-To)​
After you have access to a machine use below command to perform the attack
# From attacker machine with admin creds:
psexec.exe \\TARGET -u DOMAIN\Administrator -p Password123 cmd.exe