> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/lateral-movement/lateral-movement-with-psexec.md).

# Lateral Movement with Psexec

A very old and noisy lateral movement technique can be performed using psexec by SysInternals.

## Execution

Let's connect from workstation `ws01` to the domain controller `dc01` with domain administractor credentials:

{% code title="attacker\@victim" %}

```
.\PsExec.exe -u administrator -p 123456 \\dc01 cmd
```

{% endcode %}

![](/files/-LfLqox9BY2R5jrZfQbi)

## Observations

The technique is noisy for at least a couple of reasons. Upon code execution, these are some well known artefacts that are left behind which will most likely get you flagged in an environment where SOC is present.

A `psexesvc` service gets created on the remote system and below shows the process ancestry of your command shell:

![](/files/-LfLrw4yml0xTbOQBU4j)

Proving that `psexec` is actually running as a service:

![](/files/-LfLsJKxFp9KSr65n3_r)

![](/files/-LfLt4CKasmC-RzgE9C2)

Additionally, there is quite a bit of SMB network traffic generated when connecting to a remote machine which could be signatured:

![](/files/-LfLu0NlioAMzhkd_Yvf)
