psexec

Step 0: Pre-requisites - Enable Remote Administration on the Remote Machine
We need to ensure the remote machine allows remote administration. We'll do:

0.1 Enable File and Printer Sharing (SMB) and Remote Administration exceptions in Windows Firewall.
We can use netsh to enable the firewall rules. We'll run these commands on the remote machine. Since we are testing, we can use PsExec to run these commands remotely.

Note: This step might already be done in your environment. If you are in a lab and the firewall is off, you can skip. But for completeness:

cmd
Copy
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall firewall set rule group="Remote Administration" new enable=yes
Alternatively, you can enable all the necessary rules by enabling the predefined rule groups:

cmd
Copy
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
0.2 Check if Remote Registry service is running (optional, for some operations)
We can start it if necessary:

cmd
Copy
psexec \\REMOTE_PC -u USER -p PASSWORD sc config RemoteRegistry start= auto
psexec \\REMOTE_PC -u USER -p PASSWORD net start RemoteRegistry
Step 1: Create a Service using PsExec
We create a harmless service that runs a simple command (timeout for 5 seconds) and then exits.

cmd
Copy
psexec \\REMOTE_PC -u USER -p PASSWORD sc create TestService binPath= "cmd /c timeout /t 5 && exit 0" start= demand
Step 2: Verify the Service was Created
cmd
Copy
psexec \\REMOTE_PC -u USER -p PASSWORD sc query TestService
Step 3: Cleanup - Delete the Service
cmd
Copy
psexec \\REMOTE_PC -u USER -p PASSWORD sc delete TestService
Step 4: Revert Firewall Changes (Optional)
If you enabled firewall rules for the test and wish to revert:

cmd
Copy
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall firewall set rule group="Remote Administration" new enable=no
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=no
Full Command Sequence for Testing:
cmd
Copy
REM Ensure firewall rules are set to allow remote administration
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall firewall set rule group="Remote Administration" new enable=yes
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

REM Start Remote Registry service if needed (optional)
psexec \\REMOTE_PC -u USER -p PASSWORD sc config RemoteRegistry start= auto
psexec \\REMOTE_PC -u USER -p PASSWORD net start RemoteRegistry

REM Create the test service
psexec \\REMOTE_PC -u USER -p PASSWORD sc create TestService binPath= "cmd /c timeout /t 5 && exit 0" start= demand

REM Verify the service
psexec \\REMOTE_PC -u USER -p PASSWORD sc query TestService

REM Cleanup: Delete the service
psexec \\REMOTE_PC -u USER -p PASSWORD sc delete TestService

REM Optional: Revert firewall rules to previous state (if desired)
REM ... [the revert commands above] ...
Show More
Important Security Note:
These commands are for testing in a controlled lab environment only.
Enabling firewall rules for remote administration can expose the machine to attacks if done in an unsecured network.
Alternative: Disable Firewall Entirely (for lab only)
If you are in a closed lab and want to avoid firewall issues, you can disable the firewall on the remote machine temporarily:

cmd
Copy
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall set allprofiles state off
After testing, re-enable:

cmd
Copy
psexec \\REMOTE_PC -u USER -p PASSWORD netsh advfirewall set allprofiles state on
But note: Disabling the firewall entirely is less secure and should only be done in a safe, isolated environment.

To test the TTP "Scattered Spider used PSEXEC to create new service on remote machine" in a controlled lab environment, here are the complete commands to configure the remote machine and execute the test. Replace placeholders (REMOTE_PC, USER, PASSWORD) with your lab machine's details.

🔧 Step 1: Configure Remote Machine for PsExec Access
Run these on the remote target machine (prepares it for remote control):

cmd
Copy
:: Enable necessary firewall rules
netsh advfirewall firewall set rule group="Remote Administration" new enable=yes
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes

:: Start required services
net start lanmanserver
sc config lanmanserver start=auto
net start remoteregistry
sc config remoteregistry start=auto

:: Create local admin account (for test authentication)
net user TestAdmin P@ssw0rd123! /add
net localgroup administrators TestAdmin /add
⚡ Step 2: Create Service via PsExec
Run these from the attacker machine (simulate the TTP):

cmd
Copy
:: Create harmless test service
psexec \\REMOTE_PC -u TestAdmin -p P@ssw0rd123! sc create EvilService binPath= "cmd /c timeout /t 10" start= auto

:: Verify service creation
psexec \\REMOTE_PC -u TestAdmin -p P@ssw0rd123! sc query EvilService

:: Start the service (optional)
psexec \\REMOTE_PC -u TestAdmin -p P@ssw0rd123! sc start EvilService
🧹 Step 3: Cleanup
On the remote target machine:

cmd
Copy
:: Remove service
sc delete EvilService

:: Remove test account
net user TestAdmin /delete

:: Revert firewall rules
netsh advfirewall firewall set rule group="Remote Administration" new enable=no
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no
🔍 Verification Checks
On remote machine:

cmd
Copy
:: Check service existence
sc query EvilService

:: Check Event Viewer logs
eventvwr.msc
Look for Event ID 7045 (Service Installed) in Windows Logs > System