{
	"id": "98ea4528-af81-440b-a376-7d7635fdb87a",
	"created_at": "2026-04-06T03:37:54.845984Z",
	"updated_at": "2026-04-10T03:21:10.935739Z",
	"deleted_at": null,
	"sha1_hash": "7da668271b1f522372267e00510ec807c34ff8b8",
	"title": "New PsExec spinoff lets hackers bypass network security defenses",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4412797,
	"plain_text": "New PsExec spinoff lets hackers bypass network security defenses\r\nBy Ionut Ilascu\r\nPublished: 2022-09-13 · Archived: 2026-04-06 02:51:49 UTC\r\nSecurity researchers have developed an implementation of the Sysinternals PsExec utility that allows moving laterally in a\r\nnetwork using a single, less monitored port, Windows TCP port 135.\r\nPsExec is designed to help administrators execute processes remotely on machines in the network without the need to install\r\na client.\r\nThreat actors have also adopted the tool and are frequently using it in post-exploitation stages of an attack to spread on the\r\nnetwork, run commands on multiple systems, or deploy malware.\r\nhttps://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hackers-bypass-network-security-defenses/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hackers-bypass-network-security-defenses/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nPsExec and the TCP ports it needs\r\nWhile the original PsExec is available in the Sysinternals utility suite, there is also an implementation in the\r\nImpacket collection of Python classes for working with network protocols, which has support for SMB and other protocols\r\nlike IP, UDP, TCP that enable connections for HTTP, LDAP (Lightweight Directory Access Protocol), and Microsoft SQL\r\nServer (MSSQL).\r\nBoth the original version and the Impacket variant work in a similar way. They use an SMB connection and are based on\r\nport 445, which needs to be open to communicate over the SMB network file-sharing protocol.\r\nThey also manage Windows services (create, execute, start, stop) through Remote Procedure Calls (RPC), a protocol that\r\nenables high-level communication with the operating system.\r\nFor extended functionality, though, port 135 is required. However, blocking this port does not prevent a threat actor from\r\ncompleting an attack, therefore port 445 is essential for PsExec to work. \r\nBecause of this, defenders mostly focus on blocking port 445, which is essential for PsExec to execute commands or run\r\nfiles. This works in most cases but is not enough.\r\nNew PsExec implementation\r\nBased on the Impacket library, researchers at Pentera, a company that provides an automated security validation solution,\r\nhave built an implementation of the PsExec tool that runs only on port 135.\r\nThis achievement brings changes to the defense game since blocking just port 445 to restrict malicious PsExec activity is no\r\nlonger a reliable option for most attacks.\r\n“We found that the SMB protocol is used to upload the binary and to forward the input and output,” Yuval Lazar, a senior\r\nsecurity researcher at Pentera explains.\r\nLazar adds in a report shared with BleepingComputer that commands are executed through Distributed Computing\r\nEnvironment / Remote Procedure Calls (DCE/RPC) and processes “run regardless of the output.”\r\nRunning PsExec commands over port 135\r\nsource: Pentera Labs\r\nThe PsExec variation from Pentera uses an RPC connection that enabled the researchers to create a service that runs an\r\narbitrary command without communicating over SMB port 445 for transport or output.\r\nhttps://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hackers-bypass-network-security-defenses/\r\nPage 3 of 5\n\nPentera's PsExec implementation creates DCE/RPC connection without SMB\r\nsource: Pentera Labs\r\nAll-out monitoring needed\r\nUnlike the original PsExec in the Sysinternals suite, Pentera’s variant has a higher chance of slipping undetected in a\r\nnetwork, Lazar told BleepingComputer, because many organizations keep an eye on port 445 and SMB.\r\n“What we’ve noticed is that while many organizations implement a lot of the mitigations based on SMB and port 445, they\r\noverlook other important ports such as 135” - Yuval Lazar, Senior Security Researcher at Pentera\r\nAnother point Lazar makes is that other PsExec implementations have to use SMB because they are file-based. Pentera’s\r\nvariant is fileless, the researcher said, which would make it more difficult to detect.\r\nLazar’s research on PsExec highlights that while security vulnerabilities like PetitPotam [1, 2] and DFSCoerce have drawn\r\nattention to the risk RPC poses, mitigations don’t emphasize monitoring DCE/RPC but on NTLM relay prevention.\r\nBased on Pentera’s observations, blocking or monitoring RPC traffic is not common practice in corporate environments. The\r\nreason in many cases is that defenders are unaware that RPC can introduce a security risk to the network if left unchecked.\r\n“Security teams need to understand how different ports can be used by hackers so that they know what to monitor them for”\r\n- Yuval Lazar\r\nWill Dormann, senior vulnerability analyst at ANALYGENCE, agrees that blocking TCP port 445 alone is insufficient to\r\nblock malicious activity relying on the tool.\r\n\"If people think that blocking 445 only is enough to prevent PsExec (and other RPC-related things), then they are mistaken,\"\r\nthe researcher told BleepingComputer.\r\nPsExec is based on SMB and RPC connections, which require ports 445, 139, and 135. However, Lazar added that there is\r\nan RPC implementation on top of HTTP, meaning that PsExec could potentially work over port 80, too.\r\nPsExec popular with ransomware actors\r\nHackers have been using PsExec in their attacks for a long time. Ransomware gangs, in particular, adopted it to deploy file-encrypting malware.\r\nIn an attack that lasted just one hour, NetWalker ransomware used PsExec to run their payload on all systems in a domain.\r\nIn a more recent example, the Quantum ransomware gang relied on PsExec and WMI to encrypt systems in an attack that\r\ntook only two hours to complete after gaining access via IcedID malware.\r\nA report from Microsoft in June details an attack from BlackCat ransomware, who also used PsExec to distribute their\r\nransomware payload.\r\nhttps://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hackers-bypass-network-security-defenses/\r\nPage 4 of 5\n\nAnother example is from the recently disclosed Cisco breach, where the Yanluowang ransomware gang used PsExec to add\r\nregistry values remotely, allowing the threat actor to leverage the accessibility features available on the Windows logon\r\nscreen.\r\nUpdate [September 13, 10:10 EST]: Article updated with comment from Will Dormann, vulnerability analyst at the U.S.\r\nCERT Coordination Center.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hackers-bypass-network-security-defenses/\r\nhttps://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hackers-bypass-network-security-defenses/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hackers-bypass-network-security-defenses/"
	],
	"report_names": [
		"new-psexec-spinoff-lets-hackers-bypass-network-security-defenses"
	],
	"threat_actors": [],
	"ts_created_at": 1775446674,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7da668271b1f522372267e00510ec807c34ff8b8.pdf",
		"text": "https://archive.orkl.eu/7da668271b1f522372267e00510ec807c34ff8b8.txt",
		"img": "https://archive.orkl.eu/7da668271b1f522372267e00510ec807c34ff8b8.jpg"
	}
}