What is Impacket / PSExec?

Impacket PsExec is a Python-based implementation of the PsExec functionality, created by the open-source library Impacket. Impacket is a collection of tools and Python classes for working with network protocols, commonly used for penetration testing and security research.

The psexec.py script within Impacket replicates the functionality of Microsoft’s PsExec, allowing users to remotely execute commands on Windows systems over the network.

• PsExec uses Windows administrative shares (like \\hostname\admin$) and the Server Message Block (SMB) protocol to communicate with remote systems.
• It requires appropriate permissions (administrator-level access) on the target machine.

Analysis

I will remotely execute the command ipconfig on my attacked VM from the IP 10.160.0.2. In order to run the command, you must provide user credentials with the proper permissions. After executing:

So the way this basically works is that the tool will create an exe file with a random name that is comprised of 8 capital/noncapital letters. We can see the code that is responsible for this in the source code of PSExec:

Then, the tool will upload that file to the writeable network share, create a service with 4 random letters, attach the aforementioned binary to that service, run the service, provide us with the command output, and remove the remaining artifacts.

Artifacts — Windows Event Logs

• Security Log > Event ID 4697 “Service Created”

• Security Log > Event ID 4688 “Process Created”

• Security Log > Event ID 4689 “Process Terminated”

• Security Log > Event ID 5145 “A network share object was checked to see whether client can be granted desired access”

• System Log > Event ID 7045 “New service was installed”

Artifacts — File System (MFT)

• (ADMIN$ share) > C:\Windows > [a-zA-Z]{8}.exe
  This is the exe file that the tool is uploading to the writeable network share.

Detection rules