12/1/2023 0 Comments Cobalt strike named pipe detection![]() Clones: Several custom PsExec implementations exist.Also note that this indicator is only generated by official distributions of PsExec – custom implementations will not change the registry key. Registry: The remote registry key change created when the EULA is accepted can be deleted by attackers in order to cover their tracks.Modification of the service name generally corresponds to a similar modification to named pipes used by the tool. For example, instead of the command psexec.exe cmd.exe, an attacker could execute psexec.exe -r spoolsrv cmd.exe to evade simple detection. Renaming the service: the default service name can be changed by supplying an argument to the command on the calling host.Defenders should be on the lookout for evasion indicators in line with the following: It is possible for attackers to modify several of the values associated with the indicators above. The stdin pipe created by example PSExec usage. (5) (On completion) Uninstall the service and delete the service executable. (4) Facilitate input/output via the named pipe. (3) Connect to the service control manager on the target host to install and start PSEXESVC. (2) Copy the service executable file PSEXECSVC.EXE to the path admin$system32. (1) Authenticate to the target host over SMB using either the current logon session or supplied credentials. The standard PsExec activity pattern is as follows: The attacker can run PsExec on the compromised host and execute commands on another host. Assume an attacker has (1) a foothold in an environment and (2) compromised credentials with Local Administrator privileges on one host. There are also a number of threat actors³ known to use either the official version of the tool, which is signed by Microsoft, or a custom variant.Īttackers often use Sysinternals PsExec to perform lateral movement. Common exploit kits Cobalt Strike and Metasploit each provide PsExec-style capabilities. Similar functionality is available using things like PowerShell Remoting in newer versions of Windows, however PsExec’s versatility and ease of use make it a favorite for attackers. The tool is a lightweight, standalone utility that can provide interactive access to the programs it runs remotely. PsExec is a system administration utility that can execute programs on remote Windows hosts². ![]() Crafty defenders can apply the detection logic presented in these posts to their tools in order to identify potentially malicious activity in different environments. While the DetectionLab environment might not generate the exact same events as, for example, popular enterprise EDR products, it will produce the same kind of events. In order to present these techniques using a standard nomenclature and accessible toolset, Praetorian will present examples using DetectionLab¹. Some defenders might have access to full packet captures and robust endpoint telemetry, others might collect only a subset of events from a few sources. Praetorian’s goal is for this series to serve as a handy reference for defenders looking to answer the question: How do I detect _?Ī note on tools: There are many options when it comes to network defense tooling. Each post will briefly describe a technique, when and how it might be used, potential indicators generated, and ways to detect or hunt for those indicators. The series is geared toward network defenders wanting to understand, identify, and protect against these attacks. This post is the first in a threat hunting series profiling detection points for common cyber threat actor attack techniques.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |