Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
T1028: WinRM for Lateral Movement
T1047: WMI for Lateral Movement
T1076: RDP Hijacking for Lateral Movement with tscon
T1051: Shared Webroot
T1175: Lateral Movement via DCOM
WMI + MSI Lateral Movement
Lateral Movement via Service Configuration Manager
Lateral Movement via SMB Relaying
WMI + NewScheduledTaskAction Lateral Movement
WMI + PowerShell Desired State Configuration Lateral Movement
Simple TCP Relaying with NetCat
Empire Shells with NetNLTMv2 Relaying
Lateral Movement with Psexec
From Beacon to Interactive RDP Session
SSH Tunnelling / Port Forwarding
Lateral Movement over headless RDP with SharpRDP
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Lateral Movement with Psexec

A very old and noisy lateral movement technique can be performed using psexec by SysInternals.

Execution

Let's connect from workstation ws01 to the domain controller dc01 with domain administractor credentials:

attacker@victim
.\PsExec.exe -u administrator -p 123456 \\dc01 cmd

Observations

The technique is noisy for at least a couple of reasons. Upon code execution, these are some well known artefacts that are left behind which will most likely get you flagged in an environment where SOC is present.

A psexesvc service gets created on the remote system and below shows the process ancestry of your command shell:

Proving that psexec is actually running as a service:

Additionally, there is quite a bit of SMB network traffic generated when connecting to a remote machine which could be signatured:

Previous
Empire Shells with NetNLTMv2 Relaying
Next
From Beacon to Interactive RDP Session
Last updated 1 year ago
Contents
Execution
Observations