A security analyst reviews logs from a compromised server and observes the following sequence of events: an authenticated connection to the ADMIN$ share from a remote IP, the creation and start of a new service named "PSEXESVC", followed shortly by the service's removal. Which tool was most likely used by the attacker for lateral movement?
The sequence of events described is the distinct operational pattern of PsExec. PsExec works by connecting to the hidden ADMIN$ share, uploading a service executable named PSEXESVC.exe, using the Service Control Manager to start the service which then executes the user's command, and finally, stopping and deleting the service and the executable. The other tools listed operate differently. Windows Remote Management (WinRM) uses HTTP/S for remote management based on the WS-Management protocol. Impacket is a collection of Python scripts that includes a psexec.py version, but it typically uses a randomly named service, not "PSEXESVC". Secure Shell (SSH) is a separate cryptographic protocol for secure remote access and does not use this mechanism.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Sysinternals, and how does its remote process facility work?
Open an interactive chat with Bash
What is the benefit of using a tool that removes itself after execution?
Open an interactive chat with Bash
How is PsExec different from other remote execution tools like SSH?