Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Attackers that want to run remote commands on a Windows device are more likely to choose the built-in PsExec utility over the Impacket PsExec python script. But the Impacket script enables an attacker to easily compromise remote devices and move laterally across the network.
Kill Chain
Risk Score
78
Impacket is an open-source collection of tools for manipulating packets and network protocols such as SMB/CIFS. PsExec is a python script included in the Impacket toolset. An attacker with local administrator privileges inside the network next identifies a victim device they want to compromise. The attacker runs the Impacket PsExec script, which uploads a randomly-named executable file to the ADMIN$ share on the victim device. The script then sends a Microsoft remote procedure call (MS-RPC) request to the victim device over SMB to register a service through the Windows Service Control Manager. The service runs the executable file, which creates a named pipe. The named pipe enables the attacker to send input to the victim device and receive output through an interactive shell. Finally, the PsExec script deletes the files and the service to hide evidence of compromise.
Restrict remote access by users with local administrator credentials
Restrict adding domain user accounts to the local Administrator group
Reduce the number of users that have administrator privileges
Restrict file share access in Windows firewall settings to only authorized IP addresses
