← All Chokepoints HIGH

Remote Execution Tools (HackTools)

Lateral Movement Execution T1021.002 T1021.003 T1021.006 T1047 T1053.005 T1569.002 Detection difficulty: MEDIUM Prevalence: HIGH

Offensive security tools (Impacket, NetExec, CrackMapExec, Evil-WinRM) used for remote code execution across Windows environments. These frameworks wrap legitimate Windows protocols (SMB, WMI, WinRM, RPC) to execute code on remote systems using valid admin credentials. Despite tool diversity, the chokepoint is invariant: valid admin credentials, network access to target ports, and a remote execution primitive (service creation, WMI process, scheduled task) are always required.

By @iimp0ster · Updated 2026-03-07 · View source YAML

Prerequisites (Environmental)

• ✓ Network access to target on at least one required protocol port (SMB 445, WMI/RPC 135, WinRM 5985/5986)
• ✓ Remote execution surface enabled on target (Server service for SMB, WinRM service, WMI, or Task Scheduler)

Attack Chokepoints (3 invariant stages — click to expand)

Each stage is an invariant condition the attacker must satisfy — regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1

Credential Acquisition

Research Baseline

Valid admin credentials (local or domain) must be obtained before any remote execution attempt

All remote execution tools require authenticated access — no valid credentials means authentication failure at every attempted protocol regardless of which tool is used

• Windows Security Event ID 4648 (Logon with Explicit Credentials)
• Windows Security Event ID 4769 (Kerberos Service Ticket Request)

2

Remote Execution Primitive

Analyst SOC Alert

Tool invokes a Windows execution primitive on the remote host — service creation (SMB), WMI process spawn, scheduled task creation, or WinRM command

A command must run on the target via one of these four primitives — no other execution surface exists over these authenticated protocols; tools must first establish an authenticated session over a protocol port (445, 135, 5985/5986) — no reachable port means no remote execution regardless of credential validity

• Windows Security Event ID 4697 / System 7045 (Service Installed)
• Windows Security Event ID 5145 (IPC$/svcctl share access)
• Sysmon Event ID 1 (wmiprvse.exe or services.exe spawning cmd.exe/powershell.exe)

View rule →

⚠ Bypass risk: LOTL tools (winrs.exe, wmic /node:, Enter-PSSession, Invoke-Command) produce identical telemetry to Impacket but with signed Microsoft binaries — detection must be purely behavioral with no reliance on tool signatures

3

Lateral Spread

Hunt Active Hunt

The same credential and execution primitive sequence repeats across multiple hosts in a short window or follows a deliberate pivot path

Lateral movement by definition requires replication of the credential-plus-primitive pattern on each subsequent host — the telemetry is identical on every hop

• Windows Security Event ID 4624 (multiple target hosts, short window)
• Sysmon Event ID 3 (same source IP, multiple RFC1918 destinations)

View rule →

Variations

Tools and methods that exploit this chokepoint — the list grows; the chokepoint doesn't change:

Impacket Active

2015

Python suite with psexec/wmiexec/atexec/dcomexec modules; rdp_shadow added January 2025

Python suite with multiple execution modules: psexec.py (SMB service creation), smbexec.py (SMB + scheduled tasks), wmiexec.py (WMI process creation), atexec.py (Task Scheduler), dcomexec.py (DCOM), rdp_shadow.py (RDP session hijacking, added 2025-01)

Source →

CrackMapExec Archived

2016

Archived December 2023; superseded by NetExec — CME-specific signatures now stale

Multi-protocol framework covering SMB, WMI, WinRM, MSSQL; original repository archived by maintainer on December 6, 2023 (read-only); superseded by NetExec — defenders should not expect CME-specific signatures to receive community updates

NetExec Active

2023

Active CrackMapExec fork; adds LDAP, SSH, and improved OPSEC features

Active CrackMapExec fork; adds LDAP, SSH, improved OPSEC features

Source →

Evil-WinRM Active

2019

Dedicated WinRM exploitation tool targeting port 5985/5986

Dedicated WinRM exploitation tool; targets port 5985/5986

Metasploit psexec Active

2007

Original PsExec-style SMB execution via Metasploit framework

Sliver Active

2020

Open-source C2 widely adopted by nation-state and ransomware actors as Cobalt Strike alternative

Open-source C2 framework widely adopted by nation-state and ransomware actors as a Cobalt Strike alternative; built-in lateral movement over SMB/WMI using the same execution primitives this chokepoint detects; used by threat actors following Fortra's crackdown on pirated Cobalt Strike licenses

Havoc Active

2022

Modern C2 with strong EDR bypass features; uses same underlying Windows execution primitives

Modern open-source C2 framework with strong EDR bypass features and lateral movement capabilities; described as 'entry-level C2 for serious criminals'; increasingly observed in intrusions alongside or replacing Impacket; uses the same underlying Windows execution primitives (service creation, WMI, WinRM)

Detection Strategy

Build detections iteratively. Start broad to understand your baseline, then tighten to production-ready.

Goal: Identify network logon events followed by service creation or remote process execution

Log Sources

• Windows Security Event ID 4624 (Successful Logon)
• Windows Security Event ID 4688 (Process Creation)
• Windows System Event ID 7045 (Service Installed)

FP Rate: High

Use Case: Baseline normal admin activity; understand legitimate remote administration patterns

Detection Logic

Event ID: 4624 LogonType: 3 (Network) Account: Member of local Administrators or Domain Admins Within 60 seconds: Service creation (7045) OR process creation with elevated token

Sigma Rule — Research Level

View on GitHub Download

title: Network Logon Followed by Service Installation
id: e1f5a7b9-c1d3-4e5f-7a8b-9c0d1e2f3a4b
status: experimental
description: >
  Detects Windows network logon events (Type 3) followed closely by service installation
  events. Research-level rule for the remote execution tools chokepoint. This covers
  PsExec-style execution via Impacket, CrackMapExec, NetExec, and native PsExec.exe.
  High false positive rate expected — legitimate remote admin activity generates the
  same pattern. Use to baseline normal admin behavior.
references:
  - https://attack.mitre.org/techniques/T1021/002/
  - https://attack.mitre.org/techniques/T1021/006/
  - https://www.socinvestigation.com/threat-hunting-with-eventid-5145-object-access-detailed-file-share/
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.lateral_movement
  - attack.t1021.002
  - attack.execution
  - detection.maturity.research
logsource:
  product: windows
  service: system
detection:
  selection:
    EventID: 7045
    # Any new service installation — extremely broad
  condition: selection
falsepositives:
  - Software installation via MSI packages
  - Windows Update installing drivers and services
  - Legitimate remote administration (SCCM, Ansible, PDQ Deploy)
  - IT staff using PsExec or similar tools for authorized administration
  - Antivirus/EDR product updates
level: informational

Goal: Network logon with suspicious service creation (random name or unusual path) or WMI parent process

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Windows Security Event ID 4624 (Logon)
• Windows Security Event ID 4697 (Service Installed)
• Windows System Event ID 7045 (Service Installed)

FP Rate: Medium

Use Case: Active hunt for lateral movement campaigns; identifies PsExec-style and WMI execution

Detection Logic

Network Logon (4624, LogonType 3) AND one of:
  Service Created with:
    - Name: matches random pattern (8-10 char alpha-numeric)
    - Binary Path: \Windows\Temp\ OR \Users\Public\ OR \ProgramData\
  OR Process Created with:
    - Parent: wmiprvse.exe OR services.exe
    - Image: cmd.exe OR powershell.exe
    - Path: unusual system paths

Sigma Rule — Hunt Level

View on GitHub Download

title: Suspicious Service Created After Network Logon — Remote Execution Pattern
id: f2a6b8c0-d2e4-4f6a-8b0c-0d1e2f3a4b5c
status: experimental
description: >
  Detects suspicious service installations with random-looking names or binaries
  located in user-writable paths. This pattern is characteristic of Impacket's
  psexec.py and smbexec.py, CrackMapExec, and NetExec SMB execution modules, which
  create short-lived services with auto-generated names in temporary locations.
references:
  - https://attack.mitre.org/techniques/T1021/002/
  - https://attack.mitre.org/techniques/T1047/
  - https://www.socinvestigation.com/threat-hunting-with-eventid-5145-object-access-detailed-file-share/
  - https://github.com/fortra/impacket
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.lateral_movement
  - attack.t1021.002
  - attack.execution
  - attack.t1569.002
  - detection.maturity.hunt
logsource:
  product: windows
  service: system
detection:
  selection_service_install:
    EventID: 7045
  # Service binary located in suspicious paths (user-writable, temp locations)
  filter_suspicious_path:
    ImagePath|contains:
      - '\Windows\Temp\'
      - '\Users\Public\'
      - '\ProgramData\'
      - '\AppData\Local\Temp\'
      - '\AppData\Roaming\'
  # OR service binary executes cmd/powershell (common for shell-based execution)
  filter_shell_execution:
    ImagePath|contains:
      - 'cmd.exe'
      - 'powershell.exe'
      - 'pwsh.exe'
  condition: selection_service_install and (filter_suspicious_path or filter_shell_execution)
falsepositives:
  - Legitimate software installers that temporarily use Windows\Temp (verify binary is signed)
  - Some legitimate monitoring agents that run from non-standard paths
  - Custom IT deployment scripts that create temporary services
level: medium

Goal: Network logon + IPC$ access + suspicious service or multiple hosts in spray pattern

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 3 (Network Connection)
• Windows Security Event ID 4624 (Logon)
• Windows Security Event ID 4697/7045 (Service)
• Windows Security Event ID 5145 (Detailed File Share)

FP Rate: Low

Use Case: SOC alerting for active lateral movement; direct IR escalation trigger

Detection Logic

Network Logon (4624, LogonType 3) + IPC$ share access (5145, ShareName = IPC$) + Service creation with suspicious characteristics:
    Name: 8-10 random alphanumeric characters
    Binary: runs from \Windows\Temp\ OR \Users\Public\ OR command is cmd.exe/powershell.exe
OR + Pattern: same source IP accessing 3+ hosts within 10 minutes (spray) Source IP: internal lateral movement (RFC1918 source to RFC1918 destination)

Sigma Rule — Analyst Level

View on GitHub Download

title: Impacket-Style Remote Execution — Network Logon, IPC$ Access, Suspicious Service
id: a3b7c9d1-e3f5-4a7b-9c1d-1e2f3a4b5c6d
status: experimental
description: >
  High-fidelity detection for Impacket psexec.py, smbexec.py, CrackMapExec, and NetExec
  SMB execution patterns. Looks for the combination of network logon, IPC$ share access,
  and suspicious service creation (random name, temporary binary path) — all three must
  be present from the same source within a short time window. This three-event correlation
  dramatically reduces false positives compared to individual event detection.
references:
  - https://attack.mitre.org/techniques/T1021/002/
  - https://www.socinvestigation.com/threat-hunting-with-eventid-5145-object-access-detailed-file-share/
  - https://github.com/fortra/impacket
  - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.lateral_movement
  - attack.t1021.002
  - attack.execution
  - attack.t1569.002
  - detection.maturity.analyst
logsource:
  product: windows
  service: system
detection:
  # Focus on the clearest signal: service installed from temp path after logon
  # The IPC$ correlation must be done at the SIEM/pipeline level
  selection_service_install:
    EventID: 7045
  filter_suspicious_path:
    ImagePath|contains:
      - '\Windows\Temp\'
      - '\Users\Public\'
      - '\ProgramData\'
  filter_command_exec:
    ImagePath|contains:
      - '%COMSPEC%'
      - 'cmd.exe /Q /c'
      - 'cmd.exe /C'
  filter_random_service:
    # Impacket psexec generates random 8-char service names like "TrPFXzGH"
    # This regex check should be done at SIEM level; approximated here
    ServiceName|re: '^[A-Za-z]{6,12}$'
  condition: selection_service_install and (filter_suspicious_path or filter_command_exec or filter_random_service)
falsepositives:
  - Authorized use of PsExec or Impacket by red teams (check with security team)
  - SCCM/Intune deployments that use temporary service paths (verify source IP)
  - Legitimate remote admin via sc.exe from known admin workstations
level: high

Early Detection Layers

Detect before the user pastes or executes — earlier in the kill chain than the Sysmon-based rules above, using different data sources.

Evolution Timeline (5 events — click to expand)

Techniques and tooling evolve; the underlying detection chokepoint does not.

2025-01

Impacket adds rdp_shadow.py (PR#2064)

Change: Native RDP session hijacking (rdp_shadow.py) added to Impacket suite via PR#2064.

Detection impact: Existing RDP session manipulation detection (Event ID 4624 LogonType 10) applies

2023-Q4

CrackMapExec officially archived

Change: CME archived December 6, 2023; behavioral detection remains valid but CME-specific hash/signature rules stop receiving updates.

Detection impact: Behavioral detection remains valid; tool-specific hash/signature-based detection for CME becomes stale

2023-Q3

NetExec forked from CrackMapExec

Change: Active CrackMapExec fork adds LDAP and SSH support; no fundamental change to underlying Windows API behavior.

Detection impact: No fundamental change to underlying Windows API behaviors

2019-Q2

Evil-WinRM released as dedicated WinRM exploitation tool

Change: Dedicated WinRM exploitation tool released; WinRM authentication spike detection becomes important.

Detection impact: WinRM authentication spike detection becomes important

2016-Q1

CrackMapExec released as multi-protocol framework

Change: Multi-protocol framework combining SMB, WMI, and WinRM in one tool; detection must cover all protocols.

Detection impact: Detection must cover multiple protocols, not just SMB

Raw Log Samples (4 samples — click to expand)

Real-world log events produced by this technique and which sigma rules they trigger.

Windows Event Log EID 4624

Research Analyst

Network logon (Type 3) from attacker IP before remote execution

EventID: 4624 (An account was successfully logged on)
TimeCreated: 2024-07-09T01:33:47.2284110Z
Channel: Security

LogonType: 3
NewLogonUserName: Administrator
NewLogonDomain: CORP
AuthenticationPackageName: NTLM
LogonProcessName: NtLmSsp
IpAddress: 10.10.50.5
IpPort: 49221
# LogonType=3 (Network) from internal IP — pre-execution authentication

Windows Event Log EID 5145

Analyst

IPC$ share access — PsExec/Impacket opens IPC$/svcctl before service creation

EventID: 5145 (A network share object was checked for access)
TimeCreated: 2024-07-09T01:33:47.4418230Z
Channel: Security

SubjectUserName: Administrator
ShareName: \\*\IPC$
RelativeTargetName: svcctl
AccessList: %%4416 (ReadData)
IpAddress: 10.10.50.5
# IPC$/svcctl access = opening service control manager over SMB (PsExec/Impacket pattern)

Windows Event Log EID 7045

Research Hunt Analyst

Random-named service installed from TEMP path — classic PsExec/Impacket signature

EventID: 7045 (A new service was installed in the system)
TimeCreated: 2024-07-09T01:33:47.8834120Z
Channel: System

ServiceName: xvkbmrfe
ServiceFileName: C:\Windows\Temp\xvkbmrfe.exe
ServiceType: user mode service
ServiceStartType: demand start
ServiceAccount: LocalSystem
# 8-char random name + TEMP binary path = PsExec/Impacket/CrackMapExec pattern

Sysmon EID 1

Hunt Analyst

cmd.exe spawned from services.exe — service binary executing attacker commands

EventID: 1 (Process Create)
UtcTime: 2024-07-09 01:33:48.227
ProcessId: 4096
Image: C:\Windows\System32\cmd.exe
CommandLine: cmd.exe /Q /c whoami 1>\\127.0.0.1\ADMIN$\__1720488827.18 2>&1
ParentProcessId: 612
ParentImage: C:\Windows\System32\services.exe
# services.exe → cmd.exe is the canonical PsExec parent chain
# Output redirected to ADMIN$ share — PsExec output capture pattern

Emulation Script (click to expand)

⚠ Lab use only. Requires Administrator. All activity targets localhost only. Run in isolated lab VM.

powershell ATT&CK: T1021.002 Simulates network logon, IPC$ access, random-named service creation, and cmd.exe execution

POWERSHELL

View on GitHub Download

#Requires -Version 5.1
# MITRE ATT&CK: T1021.002 / T1569.002 — SMB Admin Shares / Service Execution
# Simulates PsExec/Impacket-style lateral movement via SMB service installation.

[CmdletBinding()]
param(
    [int]$SprayCount = 1,
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Continue'

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

function New-RandomServiceName {
    # PsExec/Impacket use 8-char random alphanumeric service names
    $chars = 'abcdefghijklmnopqrstuvwxyz0123456789'
    return -join ((1..8) | ForEach-Object { $chars[(Get-Random -Maximum $chars.Length)] })
}

$ServiceNames = @()

function Remove-Artefacts {
    foreach ($svcName in $ServiceNames) {
        if (Get-Service -Name $svcName -ErrorAction SilentlyContinue) {
            sc.exe stop $svcName 2>&1 | Out-Null
            sc.exe delete $svcName 2>&1 | Out-Null
        }
    }
    net use \\127.0.0.1\IPC$ /delete /y 2>&1 | Out-Null
    if ($ServiceNames.Count -gt 0) {
        Write-Ok "Removed $($ServiceNames.Count) test service(s) and IPC$ connection"
    }
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
    [Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
    Write-Error "Administrator privileges required. Rerun as Administrator."
    exit 1
}

Write-Host ""
Write-Host "=== Remote Execution Tools (HackTools) Emulation ===" -ForegroundColor Magenta
Write-Host "    T1021.002 + T1569.002 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

for ($spray = 1; $spray -le $SprayCount; $spray++) {
    if ($SprayCount -gt 1) {
        Write-Host ""
        Write-Host "--- Spray iteration $spray of $SprayCount ---" -ForegroundColor DarkYellow
    }

    # ── Step 1: IPC$ network logon — Research rule trigger (WEL 4624+5145) ────
    Write-Step "Step 1/3 — Network logon (Type 3) + IPC$ access"

    $netResult = net use \\127.0.0.1\IPC$ /user:$env:USERNAME '' 2>&1
    if ($LASTEXITCODE -eq 0) {
        Write-Ok "net use \\127.0.0.1\IPC$ succeeded — WEL 4624 (LogonType 3) + 5145 generated"
    } else {
        # Blank password may fail; try current session token
        $netResult2 = net use \\127.0.0.1\IPC$ 2>&1
        Write-Ok "IPC$ connection attempt: $netResult2 (telemetry generated on attempt)"
    }

    Start-Sleep -Milliseconds 400

    # ── Step 2: Random-named service creation from TEMP — Hunt rule trigger ────
    $svcName = New-RandomServiceName
    $ServiceNames += $svcName

    Write-Step "Step 2/3 — Service creation with random name from TEMP path"
    Write-Verbose "  Service name: $svcName (8-char alphanumeric — PsExec/Impacket pattern)"
    Write-Verbose "  Binary path: C:\Windows\Temp\$svcName.exe (TEMP path — Hunt signal)"

    $createResult = sc.exe create $svcName `
        binPath= "C:\Windows\Temp\$svcName.exe" `
        type= own start= demand `
        displayname= "$svcName" 2>&1
    Write-Ok "sc create $svcName`: $createResult"
    Write-Ok "WEL 7045 generated — Service=$svcName, BinaryPath=C:\Windows\Temp\$svcName.exe"

    Start-Sleep -Milliseconds 400

    # ── Step 3: cmd.exe spawned from PowerShell simulating service execution ──
    # In a real PsExec scenario, services.exe spawns the service binary which runs cmd.exe
    # We simulate this by running cmd /c whoami (generates Sysmon EID 1 from current context)
    Write-Step "Step 3/3 — Simulating service-spawned command execution"
    Write-Verbose "  Real pattern: services.exe → <random_svc>.exe → cmd.exe → payload"
    Write-Verbose "  Note: Real PsExec parent would be services.exe — manual replay has higher fidelity"

    $cmdResult = cmd.exe /c "whoami && hostname && net user" 2>&1
    Write-Ok "cmd.exe executed recon commands (EID 1 generated):"
    $cmdResult | ForEach-Object { Write-Host "    $_" -ForegroundColor DarkGray }

    Start-Sleep -Milliseconds 300
}

Write-Host ""
Write-Step "Cleaning up artefacts"
Remove-Artefacts

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  WEL 4624 LogonType=3 + WEL 7045 (service installed)"                          -ForegroundColor DarkCyan
Write-Host "  [Hunt]      7045 with random name + TEMP binary path + WMI/service parent (EID 1)"        -ForegroundColor DarkYellow
Write-Host "  [Analyst]   IPC$ access (5145) + 7045 with suspicious name + EID 1 with recon commands"   -ForegroundColor DarkGreen
Write-Host ""
Write-Host "Higher fidelity options:" -ForegroundColor DarkGray
Write-Host "  - Replay with Impacket psexec.py against a lab target (generates authentic services.exe parent)"
Write-Host "  - Use Atomic Red Team: Invoke-AtomicTest T1021.002 -TestNumbers 1"
Write-Host "  - Attack data replay: https://github.com/splunk/attack_data (impacket dataset)"
Write-Host ""

OSINT Sources

Shodan port:5985 product:"Microsoft HTTPAPI"

Finds internet-exposed WinRM endpoints; narrow with 'org:' or 'net:' filters to audit your own attack surface — run a second query on port 5986 for the HTTPS variant.

Shodan ssl.jarm:07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba37e62256d5 port:443

Clusters of hosts sharing this default Cobalt Strike JARM fingerprint are likely team servers; more resilient to infrastructure rotation than IP/domain blocklists.

GitHub Code Search "wmiexec" OR "smbexec" OR "atexec" path:*.py

Finds community tools built on Impacket execution primitives; use for defender awareness of new modules extending the execution surface.

Intel Resources

• MITRE ATT&CK — Impacket Software S0357 — Lists every known threat actor (APT groups, ransomware operators) documented using Impacket; far more useful to a defender than the raw GitHub repo for understanding real-world prevalence
• MITRE ATT&CK — T1021.003 DCOM — Technique definition for DCOM-based lateral movement; covers dcomexec.py usage and detection guidance
• MITRE ATT&CK — T1569.002 Service Execution — Technique definition for service-based remote execution (psexec/smbexec pattern); the primary detection signal in this chokepoint's hunt and analyst rules
• Microsoft — Storm-0501 Ransomware Hybrid Cloud Attacks — Documents Storm-0501 using Impacket SecretsDump for lateral movement in hybrid cloud environments; concrete example of Impacket use in a 2024 ransomware campaign
• Impacket GitHub — Monitor releases and PRs for new execution modules; source of truth for what capabilities the suite currently covers
• NetExec GitHub — Active successor to CrackMapExec; track new protocol support and OPSEC improvements that affect detection
• SOC Investigation — Event ID 5145 Threat Hunting — Detailed guidance on using Event ID 5145 (Detailed File Share) for lateral movement detection; covers IPC$ access correlation

Related Chokepoints

Ransomware Service Manipulation CRITICAL