![]() That is because the configuration file limits Pipe events to a specific segment of pipes so as to not cause too much noise. The logs are similar to the first run of PsExec, except that it misses all of the pipe events. PSEXESVC then creates a new process to run the commands it was sent from PsExec, cleaning up after itself by closing all the processes and deleting the registry key it created once finished. It writes the file to disk and starts the process in a new thread. Sysinternal’s PsExec starts by setting registries on the remote machine to run %SystemRoot%\PSEXESVC.exe when the service PSEXESVC starts. Each example will have screenshots of the usage of the tool and select fields from the logs generated by Sysmon. The log examples shown below are with the default Modular Sysmon configuration file, and I tested the detections by using the various methods of PsExec to run the command “cmd /c time /T”. The tool can be run on the local machine or remote machines, and it can allow a user to act as the NT Authority\System account. The service uses named pipes, which connect back to the psexec tool. The tool copies a service executable to the hidden Admin$ share, and then uses the Windows Service Control Manager API to start the service. PsExec is a rather simple tool, but one that has a lot of power. Note: in case you missed the previous parts of this series, feel free to check out parts 1 and 2 as well! PsExec In this Splunk tutorial I will go through the basics of how PsExec works, the three current primary ways it is used, and how to detect its usage with Sysmon. It is a major vector of lateral movement in an environment, and because of that, is a very important tool to be able to detect. PsExec allows members of a computer’s Local Administrator group to connect to and have an interactive command line interface with remote computers. PsExec has been used in Mitre ATT&CK techniques T1569.002 (System Services: Service Execution), T1021.002 (Remote Services: SMB/Windows Admin Shares), and T1570 (Lateral Tool Transfer). Because of the power of PsExec, many different malware actors have used it in various forms of malware as well as a part of pass-the-hash attacks. It was created to allow administrators to remotely connect to and manage Windows systems. PsExec is another powerful tool created by Windows Sysinternal.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |