Lateral Movement Detections: PsExec/Like-PsExec tools activity

Ring-tailed Lemur from Madagascar
  • Metasploit-PsExec (High Noise/Windows Defender has detection)
  • Impacket-psexec (High Noise/Windows Defender has detection)
  • Impacket-smbexec (Low Noise/Windows Defender has no detection)
  • Impacket-wmiexec (Low Noise/Windows Defender has no detection)

Demo Time !!

1. Metasploit-PsExec

Metasploit PsExec
Defender Event ID : 1116 & 1117
Application Event ID : 15
Security Event ID : 5145
Security Event ID : 5145
System Event ID : 7045
Security Event ID : 4688
Security Event ID : 4688
Security Event ID : 4688

2. Impacket-psexec

Defender Event ID : 1116 & 1117
Impacket-psexec
Security Event ID : 5145
Security Event ID : 5145
Security Event ID : 5145
System Even ID : 7045
System Even ID : 7045
Security Event ID : 5145
Security Event ID : 4688

3. Impacket-smbexec

Security Event ID : 5145
System Event ID : 7045
Security Event ID : 4688
Security Event ID : 5145
Security Event ID : 4688
Security Event ID : 5145

4. Impacket — wmiexec

Security Event ID : 5145
Security Event ID : 5145
Security Event ID : 4688
Security Event ID : 4688
Security Event ID : 5145
  • Windows Defender — Event ID: 1116: The antimalware platform detected malware or other potentially unwanted software.
  • Windows Defender — Event ID: 1117: The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
  • Windows System — Event ID: 7045: A new service was installed in the system
  • Windows Security — Event ID: 5145: A network share object was checked to see whether client can be granted desired access.
  • Windows Security — Event ID: 4688: A new process has been created.

Conclusion:

  1. https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/

--

--

--

Incident Handler, Security Operations

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ethereal

Using Uniswap V2 Oracle With Storage Proofs

A Developer’s Guide to Managing Email Accounts

Phased Process in Using the Meter Bridge

Ourspace cooperates with 5Degrees!

{UPDATE} BJ Bridge SAYC Beginner Hack Free Resources Generator

DefiCliq (CLIQ)Staking Overview

{UPDATE} 美甲沙龙 - 值得畅玩 Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhijith Rao

Abhijith Rao

Incident Handler, Security Operations

More from Medium

AWX : Create a new execution environment with ansible-builder

Security Architecture Review and Threat Modeling: Ch1

Operationalizing MITRE Engage: Deception Opportunities with APT Cyber Tools Targeting ICS/SCADA…

Enhanced Multi-Cloud Networking Visibility with Packet Capture Tools