During an internal penetration test, you have obtained valid domain credentials with local administrator rights on several Windows 10 workstations. Group Policy disables RDP and WinRM is not enabled. You need to push a PowerShell one-liner to HR-PC05 from your foothold on ENG-PC02 and see the output immediately, without installing any agent on the target. SMB (TCP 445) and the default admin$ share are accessible. Which approach using a Sysinternals utility will let you start the command on the remote host and view its console output locally?
Copy the one-liner into a new Run registry key on HR-PC05 with reg.exe and wait for the next reboot.
Use robocopy to place the script in HR-PC05's admin$ share and rely on a logged-in user to execute it.
Use PsExec to launch the PowerShell command on HR-PC05 from ENG-PC02, capturing the output in your local console.
Schedule a Windows task on HR-PC05 with schtasks.exe that invokes the script and collect results from the Task Scheduler history.
PsExec lets an attacker (or administrator) execute a process on a remote Windows system over SMB and have the console I/O redirected back to the local session, without pre-installing software on the target. The other options either require a reboot, rely on user interaction, or do not provide real-time output to the attacker.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PsExec and how does it work?
Open an interactive chat with Bash
What is the role of the admin$ share in remote execution?
Open an interactive chat with Bash
Why can't other methods, like Run registry keys or schtasks.exe, achieve the same result as PsExec in this scenario?