Threat Actor use PsExec to Execute Commands, Deploy Malware

Share post:

Threat actors are adopting PsExec utility in the post-attack phases to spread across a network, execute commands on multiple systems, or deploy malware.

PsExec is a tool that helps administrators execute processes remotely on machines on the network without the need to install a client.

Although the original version of PsExec is available in the Sysinternals utility suite, there is also an Impacket variant that uses an SMB connection and, like the original version, is based on port 445.

The Impacket variant supports SMB and other protocols such as IP, UDP, TCP, which enable connections for HTTP, LDAP (Lightweight Directory Access Protocol), and Microsoft SQL Server (MSSQL).

Hackers use PsExec in their attacks. NetWalker ransomware uses PsExec to run their payload on all systems in one domain. Quantum ransomware Gang also relied on PsExec and WMI to encrypt systems in an attack that took just two hours.

According to the researchers, blocking port 135 does not prevent a threat actor from exploiting the vulnerability and completing an attack. While blocking port 445 is essential, it is also not enough.

In its analysis of a technique released by Pentera that shows an implementation of the PsExec tool that only runs on port 135, Lazar was able to show that blocking or monitoring RPC traffic in enterprise environments is not common practice, because defenders are unaware that RPC can pose a security risk to the network if left unchecked.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Hamilton Estimates $52 Million to Rebuild IT Systems After Ransomware Attack

The city of Hamilton plans to spend $52 million over the next three years to rebuild and secure...

Avery Data Breach: Credit Card Skimmer Affects Over 61,000 Customers

Label maker Avery has disclosed a data breach affecting 61,193 customers, caused by a credit card skimmer that...

Scammed Company Ordered to Pay $190k for Fraudulent Invoice Payment

A hacker gained access to Mobius Group’s email system and sent instructions from a legitimate email address, directing...

Sneaky 2FA: A Sophisticated Attack Defeats Both 2FA and Phishing Protections

A new phishing kit, ominously named "Sneaky 2FA," has emerged, targeting Microsoft 365 users by bypassing two-factor authentication...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways