Protecting Privileged Domain Accounts: PsExec Deep-Dive | SANS Forensics Blog

PsExec is an extremely powerful tool and is used commonly in enterprise networks, for both good and evil. Systems administrators and incident responders use it for its flexibility in interacting with remote machines, including a telnet-like ability to run command-line tools on remote machines and receive the output on their local console. Attackers utilize it for the same reasons, providing a convenient way to move laterally and interact with remote machines using compromised credentials.

Given its power, you might wonder what the ramifications are of using this tool on a compromised machine. In other words, could it lead to your credentials being compromised? In this article, I’ll discuss the two “native” methods of logging onto a remote machine with PsExec and why you should always avoid one of the two. I’ll also discuss possible workarounds to the second, more dangerous logon. Finally, since attackers have been known to use this tool for lateral movement, I’ll follow up the logon discussion with a brief forensic analysis of the artifacts you will typically find from PsExec usage.