Security News > 2022 > September > New PsExec spinoff lets hackers bypass network security defenses

Security researchers have developed an implementation of the Sysinternals PsExec utility that allows moving laterally in a network using a single, less monitored port, Windows TCP port 135.

While the original PsExec is available in the Sysinternals utility suite, there is also an implementation in the Impacket collection of Python classes for working with network protocols, which has support for SMB and other protocols like IP, UDP, TCP that enable connections for HTTP, LDAP, and Microsoft SQL Server.

Based on the Impacket library, researchers at Pentera, a company that provides an automated security validation solution, have built an implementation of the PsExec tool that runs only on port 135.

Unlike the original PsExec in the Sysinternals suite, Pentera's variant has a higher chance of slipping undetected in a network, Lazar told BleepingComputer, because many organizations keep an eye on port 445 and SMB. "What we've noticed is that while many organizations implement a lot of the mitigations based on SMB and port 445, they overlook other important ports such as 135" - Yuval Lazar, Senior Security Researcher at Pentera.

Lazar's research on PsExec highlights that while security vulnerabilities like PetitPotam [1, 2] and DFSCoerce have drawn attention to the risk RPC poses, mitigations don't emphasize monitoring DCE/RPC but on NTLM relay prevention.

A report from Microsoft in June details an attack from BlackCat ransomware, who also used PsExec to distribute their ransomware payload. Another example is from the recently disclosed Cisco breach, where the Yanluowang ransomware gang used PsExec to add registry values remotely, allowing the threat actor to leverage the accessibility features available on the Windows logon screen.

News URL

https://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hackers-bypass-network-security-defenses/