Detecting PSEXEC and similar tools

PSExec is a tool designed for system administrators, facilitating remote command execution, and is part of the Sysinternals Suite. However, this tool is frequently exploited for lateral movement by Threat Actors.

This article provides a comprehensive overview of the detection of PSEXEC and similar tools. PSEXEC is a tool designed for system administrators, facilitating remote command execution, and is part of the Sysinternals Suite. However, this tool is frequently exploited for lateral movement by Threat Actors. To detect PSEXEC and similar tools, Windows Security EventID 5140 & 5145, 4697, 7045 or 7036, 4674, 4688/4689, 4104, and auditd/sysmon process execution can be used.

When executing PSEXEC, the field RelativeTargetName contains the strings -stdin, -stdoutor -stderr, and the field RelativeTargetName contains the string psexecsvc. When executing PSEXEC from Impacket psexec.py (uses a version of RemCom), the field RelativeTargetName can contain Remcom_Communication, RemCom_stdin, RemCom_stderr, RemCom_stdout*, and svcctl. The executable dropped in the share admin$can be detected by the field ShareName= \\\\*\\Admin$* and the field RelativeTargetName with a name ending with *.exe or *.dll, and the field AccessMask with the value 0x2.

When executing PSEXEC, the field ImagePath= *PSEXESVC.exe (PSEXESVC.exe is copied to the %SystemRoot% directory by default) and the field ServiceName= PSEXESVC (make sure ServiceName is parsed in EventID 7036, you may see 'PSEXESVC service state has changed' when starting and stopping psexec). The field TargetObject = PSEXESVC can be used to detect an operation attempted on a privileged object. The field TargetFilename can be used to detect file manipulation events. The field ProcessName = PSEXEC (depends on the usage) can be used to detect process execution. Microsoft Defender EventID 1116 & 1117 can be used to detect some of the psexec like tools from metasploit or impacket.

To detect PSEXEC usage on a remote machine, the source IP address, originating user, and source workstation should be correlated and incorporated in the alerts. A strict policy should be implemented regarding the use of PSEXEC to distinguish or detect malicious activities associated

📓 Detecting PSEXEC and similar tools

👉🏽 PSExec is a tool designed for system administrators, facilitating remote command execution, and is part of the Sysinternals Suite. However, this tool is frequently exploited for lateral movement by Threat Actors. 👉🏽 Comprehensive overview of the detection of PSEXEC and similar tools. 👉🏽 PSEXEC is a tool for system administrators enabling remote command execution. 👉🏽 PSEXEC is frequently exploited by threat actors for lateral movement. 👉🏽 Detection methods include Windows Security EventIDs and auditd/sysmon process execution. 👉🏽 Specific strings in the field RelativeTargetName indicate PSEXEC execution. 👉🏽 Impacket psexec.py can also be detected through the RelativeTargetName field. 👉🏽 Detecting the executable dropped in the admin$ share using specific field values. 👉🏽 Field values ImagePath and ServiceName can be used to identify PSEXEC execution. 👉🏽 TargetObject and TargetFilename fields can detect privileged object operations and file manipulation. 👉🏽 Microsoft Defender EventIDs offer detection for psexec-like tools from Metasploit or Impacket.

🔗 source link: https://detect.fyi/detecting-psexec-and-similar-tools-c812bf3dca6c

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/detecting-psexec-and-similar-tools

#PSEXEC #Detection #Sysinternals #ThreatActors #Security