Artifacts || PsExec Execution
Today we will see what Artifacts we can discover when Threat Actor use PsExec in Post-Exploitation stage in network.
We have one Domain Controller (Server 2019) and 2-Windows 10 machine. we will assume one of the “Domain Admin account” credentials is leaked and Threat Actor got access to the network by utilizing that credentials and TA is doing different activities on network. ( we will play TA role and Investigator role. )
TEST CASE 1:
Let’s Assume we are TA and we got access to “172.16.0.101” machine. Now we will first download PsExec and will utilize that to attack Domain Controller (172.16.0.1).
Let’s Download PsExec
Next step we will do is downloaded it, open zip file and extract it.
Open CMD and type “PowerShell”
Now type following command and hit enter:
psexec \\DC01 -u testadmin -i ipconfig
If you are running “sysinternals” for the first time then you will see below pop-up. so let’s click on Agree.
Now it will ask for the password
Let’s provide password and wait for the output.
Since we are more interested in what artifacts we will get when TA execute “PsExec” so we will run 2 more commands.
psexec \\DC01 -u testadmin -i net user
Again it will ask for password. so let’s provide it and wait for output
Now let’s run one more command
psexec \\DC01 -u testadmin -i -r HACKERWASHERE net user
So now let’s give password and wait for the output.
Now let’s open Windows Server and let’s switch our role from TA to Forensic Analyst.
Let’s open Event Viewer on Windows Server machine
Now let’s select “Windows Logs” and click on “System”
Since we know when we want to search anything regarding “New Service Installed” on machine then we should focus on System.evtx and specifically we need to look for Event ID 7045.
So let’s apply filter on event id 7045
Let’s see the output. we have around 11 events and we will focus on last 3 events.
Let’s expand Entry with datetime: 7/13/2023 2:13:53 AM
Let’s check the entry with timestamp : 7/13/2023 2:21:04 AM
And now let’s check recent entry which has timestamp 7/13/2023 2:25:36 AM
Here we are seeing “HACKERWASHERE” as a service name. (it’s obvious because we had utilized “-r HACKERWASHERE” while executing PsExec)
Takeaway:
Every time you run PsExec against target system a new service will be installed by default that service name is PSEXESVC.
Whenever you run PsExec against target system you will have traces of services and creation of “psexesvc.exe”
Example: If you run PsExec 3 times then you will have traces of services installation and creation of “psexesvc.exe” 3 times.
Now let’s check traces in UsnJrnl. I am Skipping how to parse UsnJrnl and directly showing parsed output for UsnJrnl.
Let’s open output in Timeline Explorer and search for keyword “PsExec”.
Note: here if you see Update Timestamp is also matching with our event log entries. (Here System time zone was UTC-08:00 and output ($J) is in UTC — 00:00)
Give another look at above image, did you able to see anything INTERESTING ?
in above entry we are also seeing “HOSTNAME” of the target system from where it was initiated.
Reference:
