This post is the first in a threat hunting series profiling detection points for common cyber threat actor attack techniques. The series is geared toward network defenders wanting to understand, identify, and protect against these attacks. Each post will briefly describe a technique, when and how it might be used, potential indicators generated, and ways to detect or hunt for those indicators. Praetorian’s goal is for this series to serve as a handy reference for defenders looking to answer the question: How do I detect ___?
A note on tools: There are many options when it comes to network defense tooling. Some defenders might have access to full packet captures and robust endpoint telemetry, others might collect only a subset of events from a few sources. In order to present these techniques using a standard nomenclature and accessible toolset, Praetorian will present examples using DetectionLab¹. While the DetectionLab environment might not generate the exact same events as, for example, popular enterprise EDR products, it will produce the same kind of events. Crafty defenders can apply the detection logic presented in these posts to their tools in order to identify potentially malicious activity in different environments.
PsExec is a system administration utility that can execute programs on remote Windows hosts². The tool is a lightweight, standalone utility that can provide interactive access to the programs it runs remotely. Similar functionality is available using things like PowerShell Remoting in newer versions of Windows, however PsExec’s versatility and ease of use make it a favorite for attackers. Common exploit kits Cobalt Strike and Metasploit each provide PsExec-style capabilities. There are also a number of threat actors³ known to use either the official version of the tool, which is signed by Microsoft, or a custom variant.
Attackers often use Sysinternals PsExec to perform lateral movement. Assume an attacker has (1) a foothold in an environment and (2) compromised credentials with Local Administrator privileges on one host. The attacker can run PsExec on the compromised host and execute commands on another host.
The standard PsExec activity pattern is as follows:
(1) Authenticate to the target host over SMB using either the current logon session or supplied credentials.
(2) Copy the service executable file PSEXECSVC.EXE to the path \\<target_host>\\admin$\\system32.
(3) Connect to the service control manager on the target host to install and start PSEXESVC.
(4) Facilitate input/output via the named pipe \\.\pipe\psexesvc.
(5) (On completion) Uninstall the service and delete the service executable.
Most indicators of PSExec activity are available from host-based telemetry tools. In this case, event IDs will be taken from Sysmon and Windows System/Security logs, but there are analogues available in other popular monitoring solutions.
It is possible for attackers to modify several of the values associated with the indicators above. Defenders should be on the lookout for evasion indicators in line with the following:
Take note: both the service name and the named pipe created during PsExec activity are arbitrary; any variant of the PsExec program provides the ability to easily change these values on a per-execution basis. This potential variability can, however, lend itself to scoping intrusions. Once identified, “custom”-named services and pipes matching the PsExec activity pattern can provide a high-fidelity signature for scoping an intrusion.
Basic detection of PsExec activity can be accomplished by monitoring for remote service creation using the well-known “PSEXESVC” name:
EventCode==7045 AND (“Service Name” CONTAINS “PSEXESVC”)
If telemetry is available, the optimal solution is to monitor for the uniquely-named pipes that are created as part of the process⁴:
EventCode==5145 AND (“Relative Target Name” CONTAINS (“*-stdin” OR “*-stdout” OR “*-stderr”))
Finally, changes to the EULA registry key could be a useful addition to any of the above:
EventCode==13 AND (“TargetObject” CONTAINS “*software\sysinternals\psexec\eulaaccepted”)
Proper whitelisting and baselining are critical to identifying anomalous and potentially malicious activity. Sysinternals PsExec is a legitimate systems administration utility, and may be used as such day-to-day in an environment. Some legitimate monitoring solutions, vulnerability scanners, or asset management systems might also exhibit this activity pattern. Knowing your allow lists and baseline profile can help differentiate between common benign activity and potentially malicious behavior.
It is important to remember that PsExec will rarely be seen as an “opening move” in an attack. The tool requires credentials and network access to target hosts. Because of this, detection of potentially malicious PsExec activity is likely one piece of a larger attack chain. Thus, if detection occurs during threat hunting, it is important to outwardly scope potential compromise using the detection event as a starting point.
It is also important to remember that the best evidence of PsExec activity lives on affected hosts. In the event of an incident involving PsExec activity host security logs are crucial. If an organization does not collect security logs from hosts on a day-to-day basis, then preserving those security logs in the event of an incident should be a priority. If possible, extracting a memory image of a compromised device before remediation activity can also provide useful indicators for scoping.
The following questions may be helpful in guiding an investigation: