Artifact Analysis: PsExec and Lateral Movement

Note

Executive Summary: Developed as part of the Microsoft Sysinternals suite, PsExec is a legitimate command-line utility designed for remote system administration. However, its reliability and reliance on native Windows protocols (SMB, RPC) have made it a cornerstone tool for threat actors and APTs conducting lateral movement. Because it is a signed, legitimate binary, it operates as a “Living off the Land” (LOLBAS) technique, evading traditional antivirus detection and requiring behavioral forensic analysis.

1. The Anatomy of Remote Execution

To effectively hunt for PsExec, DFIR analysts must understand its highly specific execution flow. The tool does not rely on traditional exploits; instead, it abuses legitimate Windows administrative shares and the Service Control Manager (SCM).

1. Authentication: The attacker executes psexec.exe from the source machine, providing credentials that hold local administrator privileges on the target endpoint.
2. SMB & Hidden Share Access: PsExec authenticates over port 445 and mounts the target’s administrative hidden share, typically ADMIN$ (which maps to C:\Windows).
3. Payload Dropping: The tool copies a specific service executable, named PSEXESVC.exe, into the target’s %SystemRoot% directory.
4. Service Creation: Using Remote Procedure Calls (RPC), PsExec interacts with the target’s Service Control Manager to create a temporary, demand-start Windows service named PSEXESVC.
5. Execution & Named Pipes: The SCM starts the service, which executes with NT AUTHORITY\SYSTEM privileges. The service then creates a named pipe (e.g., \pipe\psexecsvc) to redirect standard input/output (stdin/stdout) back to the attacker’s terminal, establishing an interactive shell.
6. Cleanup (Anti-Forensics): Upon session termination, PsExec attempts to stop the service, delete the service configuration, and remove the PSEXESVC.exe binary.

2. Forensic Investigation & Traces

While PsExec attempts to clean up after itself, the execution chain generates highly durable artifacts across the Windows event logs and the file system.

A. Windows Event Logs (The Primary Source)

• Event ID 7045 (Service Creation): This is the highest-fidelity indicator. Look in the System log for a new service installed with the name PSEXESVC and the image path C:\Windows\PSEXESVC.exe. Even if the attacker successfully deletes the service later, the creation event remains permanently logged.
• Event ID 4624 (Successful Logon): In the Security log, you will observe a sequence:
  • A Logon Type 3 (Network) representing the SMB authentication to the ADMIN$ share.
  • Followed immediately by a Logon Type 5 (Service) when the SYSTEM account starts the dropped service.
• Event ID 4688 (Process Creation): If command-line auditing is enabled, analysts will observe a highly distinctive process lineage: services.exe -> PSEXESVC.exe -> cmd.exe (or the specific payload executed by the attacker).

B. File System & Execution Artifacts

If the attacker’s connection drops unexpectedly or the cleanup routine fails, the PSEXESVC.exe binary will be left orphaned in the C:\Windows\ directory. Even if successfully deleted, analysts should cross-reference Prefetch (.pf) Files and Amcache on the target machine. These artifacts will definitively prove that PSEXESVC.exe was executed, providing precise execution timestamps.

3. The “Impacket” Variant Nuance

In modern incident response, threat actors (including ransomware groups like Akira and Qilin) rarely use the official Microsoft binary. Instead, they use psexec.py from the Impacket library.

Danger

Forensic Distinction: Unlike the official tool, Impacket’s psexec.py attempts to evade basic detection by randomizing the service name and the dropped executable name (e.g., creating a service named BTOYxz executing C:\Windows\BTOYxz.exe). Analysts must hunt for the behavior (a service spawning cmd.exe originating from a network logon) rather than just the static string “PSEXESVC”.

4. Detection & Threat Hunting

Deploy the following Sigma rule to detect the specific process lineage associated with PsExec and its variants.

Sigma Rule (Process Lineage)

sigma_psexec_lineage.yaml

title: Suspicious PsExec Service Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: stable
description: Detects the execution of cmd.exe or powershell.exe as a child of PSEXESVC.exe, indicating lateral movement.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\PSEXESVC.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection
level: high
tags:
    - attack.lateral_movement
    - attack.t1569.002

Hunting Query (Splunk)

hunting_psexec.spl

# Detects the creation of the classic PsExec service
index=windows sourcetype="WinEventLog:System" EventCode=7045 ServiceName="PSEXESVC"
| table _time, host, ServiceName, ImagePath, User

5. Mitigation

To mitigate lateral movement via PsExec and similar SMB-based tools:

• Restrict Administrative Shares: Disable ADMIN$ and C$ shares where not strictly required by IT operations.
• Micro-Segmentation: Block workstation-to-workstation SMB traffic (Port 445). SMB traffic should logically flow only from workstations to designated file servers or domain controllers.
• LAPS Deployment: Implement Microsoft Local Administrator Password Solution (LAPS) to ensure local admin credentials cannot be reused across multiple endpoints (Pass-the-Hash).

---

References

• MITRE ATT&CK: System Services: Service Execution (T1569.002)
• Microsoft Sysinternals: PsExec Documentation
• Related Artifact: Analyzing Event ID 4688 & Process Lineage