Threat actor use PsExec to execute commands, deploy malware

Threat actors are adopting PsExec utility in the post-attack phases to spread across a network, execute commands on multiple systems, or deploy malware.

PsExec is a tool that helps administrators execute processes remotely on machines on the network without the need to install a client.

Although the original version of PsExec is available in the Sysinternals utility suite, there is also an Impacket variant that uses an SMB connection and, like the original version, is based on port 445.

The Impacket variant supports SMB and other protocols such as IP, UDP, TCP, which enable connections for HTTP, LDAP (Lightweight Directory Access Protocol), and Microsoft SQL Server (MSSQL).

Hackers use PsExec in their attacks. NetWalker ransomware uses PsExec to run their payload on all systems in one domain. Quantum ransomware Gang also relied on PsExec and WMI to encrypt systems in an attack that took just two hours.

According to the researchers, blocking port 135 does not prevent a threat actor from exploiting the vulnerability and completing an attack. While blocking port 445 is essential, it is also not enough.

In its analysis of a technique released by Pentera that shows an implementation of the PsExec tool that only runs on port 135, Lazar was able to show that blocking or monitoring RPC traffic in enterprise environments is not common practice, because defenders are unaware that RPC can pose a security risk to the network if left unchecked.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web