- What is PsExec?
As you probably know, PsExec is a tool included in the Sysinternals Suite . Originally, it was intended as a convenience tool for system administrators so they could perform maintenance tasks by running commands on remote hosts .
- For attackers | Red Team : tool is abused to
- execute malicious commands
- Lateral Movement "common usage by adversary" ==> T1570
- Example to get a hostname of a remote machine :
"PsExec64.exe \\Computer_Name -u 'user' command2exec"
In a nutshell Behind the scene when u connect to a remote host , Psexec goes as follow :
- Access to Admin Share .
- Uploads PSEXESVC.exe .
- Remotely creates a service that will run PSEXESVC.exe.
- Remotely starts the service.
- Then input/output of the process goes back and forth between the hosts using named pipes
- ex : "\\.\pipe\PSEXESVC-src_Hostname-XXXX-stdout"
- For Blue Team :
- Logic for Detection as follow
- Event 5140 : Connection to Admin$ specifically <on target machine>
- Event 7045 : A new service was installed <on target machine>
- Event 4648 : attempt to logon using explicit credentials <on attacker machine>
- Attacker | src machine evidence :
- ELK Query :
"(winlog.event_data.ServiceName:"PSEXESVC" AND winlog.event_id:"7045")
(winlog.event_id:"5140" AND Share_Name.keyword:\\\\*\\ADMIN$)"
- Splunk Result :
Reference:
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
https://www.ired.team/offensive-security/lateral-movement/lateral-movement-with-psexec
https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/
Comments
Post a Comment