maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

f

Browse Source
This commit is contained in:
carlospolop 2025-08-19 22:55:59 +02:00
parent abeba13e87
commit cecefd1101
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/windows-hardening/lateral-movement/psexec-and-winexec.md
View File

@ -140,7 +140,7 @@ Hunting ideas
- Kerberos fails but NTLM is blocked: connect using hostname/FQDN (not IP), ensure proper SPNs, or supply -k/-no-pass with tickets when using Impacket.
- Service start times out but payload ran: expected if not a real service binary; capture output to a file or use smbexec for live I/O.
## Hardening notes (modern changes)
## Hardening notes
- Windows 11 24H2 and Windows Server 2025 require SMB signing by default for outbound (and Windows 11 inbound) connections. This does not break legitimate PsExec usage with valid creds but prevents unsigned SMB relay abuse and may impact devices that dont support signing.
- New SMB client NTLM blocking (Windows 11 24H2/Server 2025) can prevent NTLM fallback when connecting by IP or to non-Kerberos servers. In hardened environments this will break NTLM-based PsExec/SMBExec; use Kerberos (hostname/FQDN) or configure exceptions if legitimately needed.
- Principle of least privilege: minimize local admin membership, prefer Just-in-Time/Just-Enough Admin, enforce LAPS, and monitor/alert on 7045 service installs.