[PSEXEC]
Execute processes remotely on Windows systems for administration, incident response, and security testing
Difficulty: Intermediate
Category: Essential
Security Warning
PsExec is a powerful tool that can be used maliciously. It's commonly used by ransomware and APT groups for lateral movement. Always use responsibly and only on systems you own or have explicit permission to access.
Key Features
Remote Execution
Execute commands and programs on remote Windows systems
User Contexts
Run as different users including SYSTEM account
No Installation
No need to install software on target systems
Interactive Sessions
Establish interactive command shells on remote systems
Basic Usage
Remote Command Execution
# Execute command on remote system
psexec \\192.168.1.100 -u Administrator -p password cmd.exe
# Run as SYSTEM account
psexec \\target-pc -s cmd.exe
# Interactive session
psexec \\remote-host -i -u domain\\user -p password
File Execution
# Execute local file on remote system
psexec \\target -c -f C:\\tools\\malware_scanner.exe
# Run PowerShell script remotely
psexec \\target powershell.exe -File C:\\scripts\\cleanup.ps1
# Execute on multiple systems
psexec @computers.txt -u admin -p pass cmd /c "netstat -an"
Advanced Options
| Option | Description | Example |
|---|---|---|
| -s | Run as SYSTEM account | psexec \\target -s cmd |
| -i | Interactive session | psexec \\target -i cmd |
| -c | Copy file to remote system | psexec \\target -c tool.exe |
| -f | Force copy even if exists | psexec \\target -c -f app.exe |
| -d | Don't wait for termination | psexec \\target -d service.exe |
| -w | Set working directory | psexec \\target -w C:\\temp cmd |
Security Use Cases
๐จ Incident Response
Execute containment and analysis tools on infected systems.
# Deploy EDR agent
psexec \\infected-pc -c edr-agent.exe
๐งช Penetration Testing
Demonstrate lateral movement capabilities in security assessments.
# Execute payload
psexec \\target-host -u admin -p pass payload.exe
๐ง System Administration
Remote system maintenance and configuration tasks.
# Install updates
psexec \\workstation -s wuauclt /detectnow
๐ Forensic Collection
Deploy forensic tools on remote systems for evidence gathering.
# Memory dump
psexec \\target -c winpmem.exe memory.dmp
Security Considerations
Credentials in Commands: Passwords appear in command line history and process lists
Network Traffic: Creates SMB connections that may be logged and monitored
Service Creation: Temporarily creates a service on target system (PSEXESVC)
EDR Detection: Commonly flagged by endpoint detection systems