^.^;

PSExec

Remote command execution via Windows SMB. Execute commands on remote systems using PsExec or similar tools.

📖 Theory Panel Active

PSExec

Remote Code Execution via SMB

Requires: Valid credentials • Difficulty: Low • Impact: High

💻 Desktop Experience Available

View this module on desktop for an interactive PSExec lateral movement simulation.

PSExec is a legitimate Microsoft Sysinternals tool for executing processes on remote Windows systems. However, it's frequently used by attackers for lateral movement and remote code execution in Active Directory environments. PSExec creates a service on the target system, executes commands, and cleans up—all over SMB.

How PSExec Works (Legitimate Use):

  1. Administrator runs: psexec \\target cmd.exe
  2. PSExec connects to target via SMB (TCP 445)
  3. Copies PSEXESVC.exe to ADMIN$ share (C:\Windows)
  4. Creates and starts a service named "PSEXESVC"
  5. Service executes the requested command
  6. Output is returned via named pipe
  7. Service is stopped and deleted

Attack Exploit:

Attackers use PSExec with compromised credentials (from Pass-the-Hash, Kerberoasting, etc.) to execute commands on remote systems. PSExec leaves minimal forensic artifacts—service creation/deletion is normal Windows behavior. It's a "living off the land" technique—using legitimate tools makes detection harder.

Why It's Effective: PSExec is a trusted, signed Microsoft tool. Many organizations allow it through firewalls and EDR solutions. It requires only SMB access and valid credentials—no special exploits needed. Perfect for lateral movement after initial compromise.

Legal & Ethical Warning

PSExec techniques should only be used in authorized penetration testing, red team engagements, or controlled lab environments. Unauthorized access to computer systems is illegal under CFAA and equivalent laws worldwide. Always obtain written permission before testing.

📡 Interactive Simulation Mode

PSExec

Execute commands on remote Windows systems via SMB. Create service, run command, clean up. Living off the land—legitimate tool, malicious purpose.

Remote Execution via SMB

TCP 445 (SMB) → ADMIN$ Share → Service Creation

Using credentials: CORP\admin

○ IDLE

Remote Command Executions

Mission Brief

PSExec connects to remote systems via SMB (TCP 445), copies PSEXESVC.exe to the ADMIN$ share, creates a service, executes your command, and cleans up. All using legitimate Microsoft tools.

Attack Chain

  1. 1. Connect: SMB connection to target (TCP 445)
  2. 2. Copy: PSEXESVC.exe to ADMIN$ (C:\Windows)
  3. 3. Create Service: Install PSEXESVC service
  4. 4. Execute: Service runs your command
  5. 5. Cleanup: Service stopped and deleted

Why It Works

  • Legitimate tool: Microsoft Sysinternals PSExec is trusted
  • No exploits: Uses normal Windows service mechanism
  • Minimal artifacts: Service creation/deletion is normal
  • Living off the land: Harder to detect than custom malware
  • Pass-the-Hash: Works with NTLM hashes, no password needed

Critical Requirements

Requires valid credentials (username:password or NTLM hash) and SMB access to target. Often used after Pass-the-Hash, Kerberoasting, or credential dumping for lateral movement.

OPSEC: Training only. Unauthorized access to production systems is a federal crime. PSExec is MITRE ATT&CK technique T1021.002.
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.