Lateral Movement Detections: PsExec/Like-PsExec tools activity

Abhijith Rao
7 min readSep 1, 2021

--

Lateral movement (TA0008) continues to strongly remain a core tactic used by attackers where the successful activity leads to huge impact to the effected organization. In fact, this stage magnifies the attacker’s goals or objectives.

Ring-tailed Lemur from Madagascar

In this blog post, let us go through some of the tools used by attackers to crawl across the networks. The important part here is — usage of less noisy tools are always preferred to stay under the radar from the logging level on the endpoint as well as traditional AV/IPS signatures.

Machines used for the demonstration purpose –

1. Kali Machine (Attacker simulated machine)

The tools used are —

  • Metasploit-PsExec (High Noise/Windows Defender has detection)
  • Impacket-psexec (High Noise/Windows Defender has detection)
  • Impacket-smbexec (Low Noise/Windows Defender has no detection)
  • Impacket-wmiexec (Low Noise/Windows Defender has no detection)

2. Windows 10 (Victim machine): Winlogbeat installed to collect Application/Security/System/Defender logs

3. ELK stack hosted on Linux server.

Note#1: For the above offensive tools to work, it requires local/domain administrator credentials of the victim machine.

Note#2: I have purposefully did not collect Sysmon logs just to emphasize the efficiency of Windows — Application/Security/System logs.

Demo Time !!

1. Metasploit-PsExec

To launch this attack, Metasploit inbuilt PsExec was used. This is super noisy module and easily gets defender’s attentions.

Metasploit PsExec

As said, unfortunately exploit didn’t work at the first place due to Windows Defender flagged it as Trojan Dropper :)

Defender Event ID : 1116 & 1117

So, it made me to disable the Defender.

Application Event ID : 15

When attack was relaunched, it started accessing the IPC$ share — svcctl and initiated the service via PIPE.

Security Event ID : 5145

As we can see below, traffic originating from attacker machine — 192.168.5.108 requested ReadData, WriteData, and Created Pipe Instance via svcctl PIPE from IPC$ share.

Security Event ID : 5145

The network traffic for the same activity shows the evidence which I have mentioned in my previous blog.

Following to that, Service : “MfIdOPlBvOOBkptz” was started under “user mode”

System Event ID : 7045

Service : “MfIdOPlBvOOBkptz” has invoked the PowerShell process with lengthy command line arguments. We can see parent process — services.exe has invoked cmd.exe

Security Event ID : 4688

And the Command line as below -

Security Event ID : 4688

For the deeper analysis of the above code, John Hammond blog can be referred below (Indeed Big Kudos to him!) -

https://www.huntress.com/blog/from-powershell-to-payload-an-analysis-of-weaponized-malware

As additional reference, metasploit shellcode was very straight forward in this case and analysis showed Kali IP and Meterpreter reverse TCP port — 4444.

Lastly, “whoami” was executed from the meterpreter session –

Security Event ID : 4688

2. Impacket-psexec

Impacket-psexec was executed from Kali machine, but again Windows Defender caught it and quarantined the dropped file: C:\Winodws\djZFUjJW.exe as below -

Defender Event ID : 1116 & 1117

After disabling the Defender, attack was relaunched, and this time attack was successful. The tool has dropped an exe file on writable admin$ share and initiated it as service with random name — “voHw”

Impacket-psexec

Now, let us see the Windows Logs for the same.

As shown above, tool accessed the writable admin$ share and dropped a exe file: GbVkowvs.exe

Security Event ID : 5145

Traffic originating from attacker machine — 192.168.5.108 requested WriteData access on admin$ share and granted subsequently.

Security Event ID : 5145

Malicious file: GbVkowvs.exe was dropped on C:\Windows\admin$. (Initially, for this file Defender flagged it as Win32/RemoteExec)

Security Event ID : 5145

The dropped exe file will start a new service named – “voHw”

System Even ID : 7045
System Even ID : 7045

This tool uses open source built RemComSvc which gives us back the remote admin shell. (https://github.com/kavika13/RemCom)

Security Event ID : 5145

Then, parent process “services.exe” invokes dropped file (GbVkowvs.exe) which in turn pops up the administrative shell in return.

Security Event ID : 4688

3. Impacket-smbexec

For this tool, Windows Defender has no detections because it does not drop any files.

The attack when initiated, it started by accessing the IPC$ share and attempted to create service via svcctl PIPE like above tools.

Security Event ID : 5145

The next step is to create service named “BTOBTO” using this command — %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat

System Event ID : 7045

The parent process services.exe invokes cmd.exe and executes the above command as part of service.

Security Event ID : 4688

At the same time, there are multiple events while writing the file named “__output” during the command execution.

Security Event ID : 5145

Tool follows iterative steps for each command. So, in this scenario, as there was no exe file was dropped, each command will run as individual service (BTOBTO) every time and exits. When process exits, it deletes “__output” file as well.

Now, “whoami” was executed and later it deleted the file “__output”.

Security Event ID : 4688
Security Event ID : 5145

4. Impacket — wmiexec

This is almost like Impacket-smbexec but here WMI has been used. Windows Defender did not flag this attack as well since there is no binary dropping.

The attack was initiated by accessing the admin$ share and created the random filename (it is EPOCH time of the file creation — Neat way of randomizing the file names).

Security Event ID : 5145

The file was created and read from the admin$ location –

Security Event ID : 5145

Below commands logged parallely-

Security Event ID : 4688

Here main thing to notice is — parent process WmiPrvSE.exe is calling cmd.exe

When whoami.exe was executed, below are the process creation events –

Security Event ID : 4688

And finally, it deletes the file after execution –

Security Event ID : 5145

The consolidated Windows Event IDs we observed from the above demonstration are:

  • Windows Defender — Event ID: 1116: The antimalware platform detected malware or other potentially unwanted software.
  • Windows Defender — Event ID: 1117: The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
  • Windows System — Event ID: 7045: A new service was installed in the system
  • Windows Security — Event ID: 5145: A network share object was checked to see whether client can be granted desired access.
  • Windows Security — Event ID: 4688: A new process has been created.

Conclusion:

Threat Actors use these kind of techniques to amplify the impact after intruding into the network. “Visibility” should be a table top exercise when it comes to the Cyber Security Blue Team activities. Happy Blue Teaming!

References:

  1. https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/

2. https://www.huntress.com/blog/from-powershell-to-payload-an-analysis-of-weaponized-malware

--

--