Lateral Movement Detections: PsExec/Like-PsExec tools activity
Lateral movement (TA0008) continues to strongly remain a core tactic used by attackers where the successful activity leads to huge impact to the effected organization. In fact, this stage magnifies the attacker’s goals or objectives.
In this blog post, let us go through some of the tools used by attackers to crawl across the networks. The important part here is — usage of less noisy tools are always preferred to stay under the radar from the logging level on the endpoint as well as traditional AV/IPS signatures.
Machines used for the demonstration purpose –
1. Kali Machine (Attacker simulated machine)
The tools used are —
- Metasploit-PsExec (High Noise/Windows Defender has detection)
- Impacket-psexec (High Noise/Windows Defender has detection)
- Impacket-smbexec (Low Noise/Windows Defender has no detection)
- Impacket-wmiexec (Low Noise/Windows Defender has no detection)
2. Windows 10 (Victim machine): Winlogbeat installed to collect Application/Security/System/Defender logs
3. ELK stack hosted on Linux server.
Note#1: For the above offensive tools to work, it requires local/domain administrator credentials of the victim machine.
Note#2: I have purposefully did not collect Sysmon logs just to emphasize the efficiency of Windows — Application/Security/System logs.
Demo Time !!
To launch this attack, Metasploit inbuilt PsExec was used. This is super noisy module and easily gets defender’s attentions.
As said, unfortunately exploit didn’t work at the first place due to Windows Defender flagged it as Trojan Dropper :)
So, it made me to disable the Defender.
When attack was relaunched, it started accessing the IPC$ share — svcctl and initiated the service via PIPE.
As we can see below, traffic originating from attacker machine — 192.168.5.108 requested ReadData, WriteData, and Created Pipe Instance via svcctl PIPE from IPC$ share.
The network traffic for the same activity shows the evidence which I have mentioned in my previous blog.
Following to that, Service : “MfIdOPlBvOOBkptz” was started under “user mode”
Service : “MfIdOPlBvOOBkptz” has invoked the PowerShell process with lengthy command line arguments. We can see parent process — services.exe has invoked cmd.exe
And the Command line as below -
For the deeper analysis of the above code, John Hammond blog can be referred below (Indeed Big Kudos to him!) -
As additional reference, metasploit shellcode was very straight forward in this case and analysis showed Kali IP and Meterpreter reverse TCP port — 4444.
Lastly, “whoami” was executed from the meterpreter session –
Impacket-psexec was executed from Kali machine, but again Windows Defender caught it and quarantined the dropped file: C:\Winodws\djZFUjJW.exe as below -
After disabling the Defender, attack was relaunched, and this time attack was successful. The tool has dropped an exe file on writable admin$ share and initiated it as service with random name — “voHw”
Now, let us see the Windows Logs for the same.
As shown above, tool accessed the writable admin$ share and dropped a exe file: GbVkowvs.exe
Traffic originating from attacker machine — 192.168.5.108 requested WriteData access on admin$ share and granted subsequently.
Malicious file: GbVkowvs.exe was dropped on C:\Windows\admin$. (Initially, for this file Defender flagged it as Win32/RemoteExec)
The dropped exe file will start a new service named – “voHw”
This tool uses open source built RemComSvc which gives us back the remote admin shell. (https://github.com/kavika13/RemCom)
Then, parent process “services.exe” invokes dropped file (GbVkowvs.exe) which in turn pops up the administrative shell in return.
For this tool, Windows Defender has no detections because it does not drop any files.
The attack when initiated, it started by accessing the IPC$ share and attempted to create service via svcctl PIPE like above tools.
The next step is to create service named “BTOBTO” using this command — %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat
The parent process services.exe invokes cmd.exe and executes the above command as part of service.
At the same time, there are multiple events while writing the file named “__output” during the command execution.
Tool follows iterative steps for each command. So, in this scenario, as there was no exe file was dropped, each command will run as individual service (BTOBTO) every time and exits. When process exits, it deletes “__output” file as well.
Now, “whoami” was executed and later it deleted the file “__output”.
4. Impacket — wmiexec
This is almost like Impacket-smbexec but here WMI has been used. Windows Defender did not flag this attack as well since there is no binary dropping.
The attack was initiated by accessing the admin$ share and created the random filename (it is EPOCH time of the file creation — Neat way of randomizing the file names).
The file was created and read from the admin$ location –
Below commands logged parallely-
Here main thing to notice is — parent process WmiPrvSE.exe is calling cmd.exe
When whoami.exe was executed, below are the process creation events –
And finally, it deletes the file after execution –
The consolidated Windows Event IDs we observed from the above demonstration are:
- Windows Defender — Event ID: 1116: The antimalware platform detected malware or other potentially unwanted software.
- Windows Defender — Event ID: 1117: The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
- Windows System — Event ID: 7045: A new service was installed in the system
- Windows Security — Event ID: 5145: A network share object was checked to see whether client can be granted desired access.
- Windows Security — Event ID: 4688: A new process has been created.
Threat Actors use these kind of techniques to amplify the impact after intruding into the network. “Visibility” should be a table top exercise when it comes to the Cyber Security Blue Team activities. Happy Blue Teaming!