"New PsExec Spinoff Lets Hackers Bypass Network Security Defenses"

PsExec assists administrators in remotely executing processes on network machines without the need to install a client. However, threat actors have also adopted the tool, often using it in the post-exploitation stages of an attack to spread across the network, execute commands on multiple systems, or deploy malware. PsExec has long been used by hackers in their attacks. It was widely used by ransomware gangs to distribute file-encrypting malware. For example, NetWalker ransomware used PsExec to execute their payload on all systems in a domain during a one-hour attack. Security researchers at Pentera have built a version of the Sysinternals PsExec utility that enables lateral movement in a network by using Windows Transmission Control Protocol (TCP) port 135, a single and less monitored port. Since blocking just port 445 to restrict malicious PsExec activity is no longer a reliable option for most attacks, this achievement changes the defense game. Pentera's variant, unlike the original PsExec in the Sysinternals suite, has a higher chance of going undetected in a network because many organizations monitor port 445 and the Server Message Block (SMB) protocol. This article continues to discuss the new PsExec implementation and the popularity of this utility among ransomware actors. 

Bleeping Computer reports "New PsExec Spinoff Lets Hackers Bypass Network Security Defenses"