Network security defenses evaded with new PsExec utility

Threat actors have been leveraging the new Sysinternals PsExec utility implementation developed by Pentera to facilitate lateral movement across targets' networks using the less monitored Windows TCP port 135, indicating that blocking port 445 alone is insufficient, reports BleepingComputer. "We found that the SMB protocol is used to upload the binary and to forward the input and output," said Pentera Senior Security Researcher Yuval Lazar, who added that command execution using the Impacket library-based PsExec implementation is enabled by Distributed Computing Environment / Remote Procedure Calls (DCE/RPC). Aside from organizations' focus on port 445 and SMB, detection of the new PsExec variant is also being hampered by its fileless implementation, said Lazar. "Security teams need to understand how different ports can be used by hackers so that they know what to monitor them for," Lavar added. Meanwhile, CERT/CC Vulnerability Analyst Will Dormann also emphasized the importance of looking beyond blocking port 445 in protecting their systems against malicious activity.