September 14, 2022

Threat actors are adopting PsExec utility in the post-attack phases to spread across a network, execute commands on multiple systems, or deploy malware.

PsExec is a tool that helps administrators execute processes remotely on machines on the network without the need to install a client.

Although the original version of PsExec is available in the Sysinternals utility suite, there is also an Impacket variant that uses an SMB connection and, like the original version, is based on port 445.

The Impacket variant supports SMB and other protocols such as IP, UDP, TCP, which enable connections for HTTP, LDAP (Lightweight Directory Access Protocol), and Microsoft SQL Server (MSSQL).

Hackers use PsExec in their attacks. NetWalker ransomware uses PsExec to run their payload on all systems in one domain. Quantum ransomware Gang also relied on PsExec and WMI to encrypt systems in an attack that took just two hours.

According to the researchers, blocking port 135 does not prevent a threat actor from exploiting the vulnerability and completing an attack. While blocking port 445 is essential, it is also not enough.

In its analysis of a technique released by Pentera that shows an implementation of the PsExec tool that only runs on port 135, Lazar was able to show that blocking or monitoring RPC traffic in enterprise environments is not common practice, because defenders are unaware that RPC can pose a security risk to the network if left unchecked.

The sources for this piece include an article in BleepingComputer.