PsExec Lateral Movement via Network Connection

This detection identifies the execution of PsExec, a dual-use tool commonly employed for both legitimate administration and malicious lateral movement. PsExec, part of the Sysinternals Suite, allows for remote command execution with elevated privileges, often abused by attackers to disable security controls and move laterally within a network. This rule specifically detects the creation of PsExec.exe followed by a network connection initiated by the process, which is a strong indicator of potential malicious activity. While PsExec has legitimate uses, its prevalence in attack scenarios necessitates careful monitoring. The rule is designed to work with data from Elastic Defend, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

1. An attacker gains initial access to a system within the network (e.g., via phishing or exploiting a vulnerability).
2. The attacker uploads or transfers the PsExec tool (PsExec.exe) to the compromised host, potentially using SMB shares or other file transfer methods.
3. The attacker executes PsExec with the -accepteula flag, which suppresses the license dialog, potentially indicating a first-time execution on the machine.
4. PsExec establishes a network connection to a remote target system, leveraging SMB/Windows Admin Shares (T1021.002) to facilitate remote command execution.
5. The attacker uses PsExec to execute commands on the remote system, potentially with SYSTEM privileges, to install malware, gather credentials, or perform reconnaissance.
6. The attacker leverages the newly compromised system as a pivot point to move laterally to other systems within the network, repeating the process.
7. The attacker escalates privileges on multiple systems.
8. The attacker achieves their objective, such as data exfiltration or ransomware deployment.

Impact

Successful exploitation can lead to widespread compromise across the network. Attackers can leverage PsExec to gain control over critical systems, disable security controls, and exfiltrate sensitive data. Lateral movement facilitated by PsExec can enable attackers to rapidly expand their footprint within an organization, impacting numerous systems and services. While the rule’s severity is low due to the dual-use nature of PsExec, the potential impact of unchecked lateral movement is significant.

Recommendation

• Deploy the Sigma rule PsExec Network Connection to your SIEM and tune the process.executable and process.parent.executable filters for your environment to reduce false positives.
• Enable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging for enhanced visibility into PsExec activity.
• Review and enforce the principle of least privilege to limit the accounts that can run PsExec and access sensitive systems.
• Investigate any alerts generated by the PsExec Network Connection rule promptly to determine if the activity is legitimate or malicious.
• Monitor network connections originating from systems where PsExec is executed using the PsExec Outbound Network Connection Sigma rule.