PsExec Blocks Malware Remote Execution
Based on recent headlines, Pentera security researchers in the United States have officially confirmed a new version of the Sysinternals PsExec utility software, which allows users to move laterally in a network, via a single port. Namely, Windows TCP port 135.
There are high hopes for PsExec as it is expected to assist administrators in remotely executing processes on network machines without the need to install a client.
While the original PsExec is still available, the Python implementation of PsExec is also present in the Impacket library, which supports SMB and additional protocols like UDP, TCP, and IP that allow connections for Microsoft SQL Server (MSSQL), LDAP (Lightweight Directory Access Protocol) and HTTP.
The Impacket variant functions similarly to the original version, but the similarities stop with the fact that port 135 is required for its extended functionality.
What’s more, is that blocking this port does not prevent a hacker from carrying out an attack, so port 445 is required for PsExec to function as well. To compensate, most defenders concentrate on blocking port 4445 as this is essential for PsExec to execute commands or run files, but there is still a chance of being hacked.
New Arbitrary Command Prevents Hacking
This is why Pentera researchers have gone to such lengths to create a version that relies only on port 135. The Pentera version uses an RPC connection, which allows researchers to create a service that executes an arbitrary command without using SMB port 445 for transport or output.
“What we’ve noticed is that while many organizations implement a lot of mitigations based on SMB and port 445, they overlook other important ports like 135” – Yuval Lazar, Senior Security Researcher at Pentera.
Most organizations typically implement mitigations targeting the SMB and port 445, meaning ports such as 135, go undetected. This ultimately gives it a higher chance of going undetected in a network.
Unfortunately, trouble brews on the horizon as hackers have also adopted the software. Numerous reports have begun to spring up, that it is used in the post-exploitation stages of an attack to spread across the network, execute commands on multiple systems, or deploy malware.