Threat Actor use PsExec to Execute Commands, Deploy Malware

Share post:

Threat actors are adopting PsExec utility in the post-attack phases to spread across a network, execute commands on multiple systems, or deploy malware.

PsExec is a tool that helps administrators execute processes remotely on machines on the network without the need to install a client.

Although the original version of PsExec is available in the Sysinternals utility suite, there is also an Impacket variant that uses an SMB connection and, like the original version, is based on port 445.

The Impacket variant supports SMB and other protocols such as IP, UDP, TCP, which enable connections for HTTP, LDAP (Lightweight Directory Access Protocol), and Microsoft SQL Server (MSSQL).

Hackers use PsExec in their attacks. NetWalker ransomware uses PsExec to run their payload on all systems in one domain. Quantum ransomware Gang also relied on PsExec and WMI to encrypt systems in an attack that took just two hours.

According to the researchers, blocking port 135 does not prevent a threat actor from exploiting the vulnerability and completing an attack. While blocking port 445 is essential, it is also not enough.

In its analysis of a technique released by Pentera that shows an implementation of the PsExec tool that only runs on port 135, Lazar was able to show that blocking or monitoring RPC traffic in enterprise environments is not common practice, because defenders are unaware that RPC can pose a security risk to the network if left unchecked.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways