Full Report
2021 was the year I met two incredible hackers, Michael and Reino with whom I had the opportunity to work with during my first ever SenseCon.
Analysis Summary
# Best Practices: Mitigating PsExec-Related Threats and Implementing Zero Trust
## Overview
These practices address the risks associated with the misuse of the PsExec utility (part of Sysinternals) for remote administration and potential malicious activity. The recommendations focus on detecting PsExec's operational steps, hardening systems against its file staging and service creation mechanisms, and applying a Zero Trust security philosophy.
## Key Recommendations
### Immediate Actions
1. **Monitor Service Creation Events:** Implement logging and alerting for Windows Service Control Manager (SCM) activity, specifically looking for Event ID 4697 (A service was installed on the system) associated with newly created services, as PsExec installs `PSEXESVC`.
2. **Disable Unnecessary Administrative Shares:** Immediately review and disable all default administrative shares (`ADMIN$`, `C$`, etc.) on endpoints that do not strictly require them for essential operations (e.g., non-Domain Controllers or file servers).
3. **Review Network Communications for PsExec Versions:** Actively scan network traffic or endpoint behavioral data for clear-text data transmissions associated with older PsExec versions (pre-v2.20) attempting to communicate over RPC/Named Pipes, as these transmit credentials and commands in plain text.
### Short-term Improvements (1-3 months)
1. **Implement Named Pipe Monitoring:** Configure advanced endpoint detection mechanisms to monitor for the creation of suspicious named pipes following the PsExec pattern: `[ServiceBinaryName]-[ComputerName]-[PID]-stdin/stdout/stderr`. Look for pipes where the first segment matches the name of an uploaded service binary (e.g., `UPDATE-XXX-std*` if `update.exe` was used instead of `psexesvc.exe`).
2. **Block PsExec Download/Execution (Where Possible):** Implement application control policies (e.g., using AppLocker or Windows Defender Application Control) to restrict the execution of `PsExec.exe` and the staging binary `PsExeSVC.exe` from non-standard locations, or block Sysinternals downloads entirely if not centrally managed.
3. **Harden SMB Access:** Restrict inbound or lateral SMB connectivity, as PsExec relies on accessing the `ADMIN$` share (typically SMB port 445) to stage the server component (`PsExeSVC.exe`).
### Long-term Strategy (3+ months)
1. **Develop Mimic Detection Logic:** Create custom detection rules based on the complete sequence of PsExec actions: File staging to `C:\Windows` (`ADMIN$`), RPC calls to SCM endpoints (`OpenSCManagerW`, `OpenServiceW`, `StartServiceW`), and subsequent named pipe establishment.
2. **Enforce Zero Trust Architecture:** Adopt a formal Zero Trust model where no entity (user or service) is inherently trusted, regardless of network location. This necessitates continuous verification of identity, device posture, and least privilege application for all remote interactions.
3. **Investigate Alternatives to PsExec:** Standardize on secure, modern remote management technologies that utilize authenticated, encrypted protocols (e.g., native PowerShell Remoting/WinRM, SSH, or dedicated enterprise management tools) to replace reliance on legacy file-transfer and service-creation methods inherent to PsExec.
## Implementation Guidance
### For Small Organizations
- **Focus on Application Control:** Use Windows built-in tools (AppLocker/WDAC) to create a strict allow-list policy, preventing unapproved binaries like PsExec, or any service deployment binaries, from running. Prioritize blocking execution from user profiles or temp directories.
- **Disable Guest/Default Shares:** Ensure standard Windows installations do not have default administrative shares exposed, and restrict administrative access rights where these shares must remain active (e.g., only Domain Admins or a dedicated management account).
### For Medium Organizations
- **Implement Advanced Logging:** Ensure centralized logging captures Service Control Manager events (ID 4697) and detailed endpoint process execution logs. Tune SIEM correlation rules to detect the sequence indicative of PsExec use.
- **Use Modern Management Tools:** Replace reliance on Sysinternals tools for administrative tasks with enterprise management solutions that handle remote execution via secure protocols (like HTTPS/WinRM) and provide audit trails without manually staging binaries.
### For Large Enterprises
- **Segment Networks:** Isolate critical assets and segment the network so that lateral movement via SMB/RPC between segments is blocked by default, limiting the scope upon compromise.
- **Deploy Advanced Endpoint Defense:** Utilize EDR solutions capable of deep inspection of API calls, specifically watching for the sequence of system calls related to service creation and named pipe fabrication, which are often heavily obfuscated in custom attacks.
- **Document Exceptions:** Maintain a strictly reviewed and time-bound list of systems where administrative shares *must* remain active, alongside enhanced monitoring for those specific hosts.
## Configuration Examples
*Since the article describes the *mechanisms* PsExec uses rather than offering modern secure configurations, the following details the *malicious* configuration patterns to look for and block:*
**Indicator of Compromise (IOC) Pattern to Block/Alert On:**
| Component | PsExec Operational Artifact | Custom Detection Signature | Implementation Note |
| :--- | :--- | :--- | :--- |
| **File Staging** | Upload of `PsExeSVC.exe` to the `ADMIN$` share (`C:\Windows`). | File creation event targeting `C:\Windows\PsExeSVC.exe` initiated remotely via SMB. | Block file write access to `C:\Windows` based on source context. |
| **Service Creation** | Remote call to `StartServiceW` leading to service name `PSEXESVC`. | Event ID 4697 when Service Name is `PSEXESVC` or any unknown name started immediately after a remote connection. | Alert on 4697 events originating from non-management hosts. |
| **Communication** | Creation of named pipes matching pattern `[Service Name]-*-*-std*`. | Named Pipe creation matching regex: `.*-\d{4,5}-stdin` where the first token is not a known legitimate service. | Implement runtime monitoring for pipe endpoint registration. |
## Compliance Alignment
- **NIST SP 800-53 (Rev. 5):**
- **AC-3 (Access Enforcement):** Enforcing least privilege and secure configuration to deny unauthorized remote file access (`ADMIN$`).
- **AU-2 (Audit Events):** Ensuring comprehensive logging of service installation and system changes.
- **SC-8 (Transmission Confidentiality and Integrity):** Zero Trust validates that no connection, including legacy SMB/RPC used by older PsExec versions, can be implicitly trusted without validation.
- **CIS Controls (v8):**
- **Control 4: Inventory and Control of Software Assets:** Identifying and controlling the execution of potentially dangerous or unauthorized administrative tools like PsExec.
- **Control 10: Boundary Defense:** Hardening network access to administrative shares and service endpoints.
## Common Pitfalls to Avoid
1. **Over-trusting Encryption:** Do not assume that because a newer version of PsExec (v2.20+) uses encryption, it is inherently safe. The encryption only masks the data; the underlying mechanism (service creation, file staging) remains a high-risk administrative technique that signals unusual activity if used by unauthorized accounts.
2. **Focusing Only on `PsExec.exe`:** Attackers frequently rename `PsExeSVC.exe` or use custom clients. Detection must focus on the *behavior* (service installation, named pipe use) rather than just the hardcoded binary names.
3. **Ignoring Legacy Tooling:** Dismissing PsExec because it is standard Sysinternals software. Legitimate tools, when used outside established management channels, become a prime means of execution (Lolbins defense).
## Resources
- **Sysinternals Downloads (Defanged Reference):** Secure management of administrative tools should utilize official channels, but monitor for execution outside of controlled paths.
- **LGTM Project (Similar analysis):** Investigation into Lolbins and GTFObins for alternative methods that may bypass simple execution blocking.
- **WhiteFlag Blog Post:** For deeper technical analysis referenced in the source material.