Theory:
- Versatile tool part of SysInternals suite
- Intended to replace telnet-like applications
- To abuse for lateral movement:
- User that authenticates needs to be part of Administrator local group
- ADMIN$ share available (default)
- File and Printer Sharing turned on (default)
- SMB connection through firewall
- Abuse works by:
- Writing psexesvc.exe into C:\Windows
- Creating and spawning service
- Running requested command as child process of psexesvc.exe
PsExec Remote Shell:
- Get PsExec binary to host.
- Run connection:
./PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd
PsExec Remote Shell with Impacket:
sudo /usr/bin/impacket-psexec joe:Flowers1@172.16.189.11