PsExec

The PsExec feature of BRc4 is partially similar to that of Microsoft. It creates a service on a given remote system and starts it using Remote Procedure Calls (RPC). But unlike Microsoft’s PsExec which uses CreateProcess to pipe cmd.exe over SMB, BRc4’s PsExec service contains a shellcode blob for a payload profile provided during the execution of PsExec. This payload can either be SMB, DOH, HTTP or a TCP profile and doesn’t necessarily limit you to just SMB badgers. One of the most important OpSec consideration during lateral movement is to keep yourself disguised as a legitimate service. Several PsExec options such as service name, description, service executable name and the type of payload to execute on the remote host are customizable on-the-go. This can be configured by selecting C4 Profiler->PsExec Config. It allows to change the service names and description when a PsExec Service is created on the host. To create a service directly from the profile of a payload, you would need administrative privileges on the target host. Most of the time, a token stolen from an administrator’s process or created using the make_token command with the administrator’s credentials should be enough.

The psexec command accepts 2 arguments. The first argument is the host/IP where you want to create the service and the second argument is the payload configuration name from the Payload Profiler. The above example uses an SMB profile.

Once you execute the above command, the ratel server will create a payload based on the payload configuration’s name, copy it to the remote host, create a service and start the service over RPC. You can connect to the SMB badger using the pivot_smb command.