While we don’t suggest using PsExec type functionality for lateral movement due to its large host footprint, there are still times when it might be useful or appropriate.


This module will let you install Empire agents on additional domain machines by manipulating the remote service manager to create/configure/start/remove a service. From an agent menu, type usemodule lateral_movement/invoke_psexec. Set a listener name you want the new target to stage to with set Listener NAME. The listener names should be tab-completable. To find machines where you can PsExec to, try using the situational_awareness/network/find_localadmin_access module first.