From 1b3361896fde3d89454165eb85d21b285b22ab7e Mon Sep 17 00:00:00 2001
From: llandeilocymro <edward.d.williams@gmail.com>
Date: Fri, 16 Mar 2018 14:00:33 +0000
Subject: [PATCH] Create psexec

---
 Windows/Lateral_Movement/psexec | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 Windows/Lateral_Movement/psexec

diff --git a/Windows/Lateral_Movement/psexec b/Windows/Lateral_Movement/psexec
new file mode 100644
index 00000000..b12d1c98
--- /dev/null
+++ b/Windows/Lateral_Movement/psexec
@@ -0,0 +1,19 @@
+## PsExec
+
+MITRE ATT&CK Software: [S0029] (https://attack.mitre.org/wiki/Software/S0029)
+
+PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.
+
+### PsExec lateral movement:
+
+Input:
+
+`Psexec -accepteula \\host cmd`
+
+### Artifacts:
+The Windows Event ID 4689 - A process has exited
+If you kill a PsExec process, you might also need to manually remove the background service:
+`sc.exe \\workstation64 delete psexesvc`
+
+Reference:
+https://docs.microsoft.com/en-us/sysinternals/downloads/psexec