PsExec is a command-line utility that is part of Sysinternals, a suite of management tools for Microsoft Windows. PsExec has a variety of capabilities, including allowing administrators to install and execute programs on remote machines and remotely create accounts. It also has been incorporated into threat groups’ tactics, techniques and procedures (TTPs), including
replaying hashed passwords and escalating system privileges. Because it is often present on Windows systems, it is an attractive tool for threat actors since the use of it is less likely to raise security alarms because it’s not inherently malware. This tactic of using native Windows binaries for malicious activity is referred to as “living off the land.” PsExec has been used by at least 30 different threat groups, including Volt Typhoon, a China-based state-sponsored group; Berserk Bear, a Russian state-sponsored group; and most recently Fog ransomware, a financially motivated cybercriminal group that appeared in early 2024. This post demonstrates a few ways to conduct threat hunts to look for artifacts associated with potentially malicious use of PsExec and similar tools, such as Impacket and Metasploit’s PsExec module.
Now that we are familiar with PsExec, we need to understand the artifacts these tools leave behind when they are installed and used. One sign it has been installed is the creation of a new service with a random name. For example, if we look at the documentation for Metasploit’s PsExec module, we can see the PsExec payload is the randomly named executable “QpxKDHyG”:
When a service is started and it runs an executable, we know “services.exe” is going to be the parent process. This is another clue PsExec might be in use, and we can pick up on this activity in event logs as well. A 2021 post by a senior cybersecurity manager on his website bczyz's research blog describes the event logs created: event 4697, a security log event, and 7045, a system log event. Both indicate a new service has been installed on a system related to the installation of Impacket, which is a PsExec-like tool.
The event logs also show the name of the service that has been installed. As per bczyz’s research blog, we can see event log 4697 indicates the service “xHdi” was installed along with the service file name, which is “%SYSTEMROOR%\tGZQiyrm.exe.”
And then we can see event 7045:
With this information about artifacts, we can formulate our threat hunt hypothesis: we want to search for randomly named executables and their associated parent processes. Now, we will dive into Intel 471’s HUNTER471 platform. HUNTER471 contains pre-written threat hunting queries that can be used to hunt for specific behaviors in a variety of endpoint, detection and response (EDR) applications, security information and event management (SIEM) instances and other logging platforms, such as Splunk and Elastic. For this hunt, we will go to the hunt package titled “Metasploit / Impacket PsExec Process Creation Activity.”
The query logic explains the broad goal of this threat hunt, which is looking for certain field-value relationships, parent and child processes and ultimately new service names that match likely adversary use of PsExec. Below is the broad query logic, and highlighted in blue is a regular expression that will look for any combination of eight lowercase and uppercase letters followed by “.exe,” which is the format for how Metasploit deploys Impacket PsExec.
This method of hunting for the behaviors of adversaries is more reliable than, say, an indicator of compromise (IoC) such as an IP address or a file hash. Threat actors can easily change infrastructure such as IP addresses associated with attacks. They use crypting services to ensure their malware isn’t detected by matching hashes (see the blog post: A Briefing on Malware Crypting Services). But if PsExec is in an attacker’s regular workflow, this behavior and use of the tool is likely to be repeated, making it a more reliable sign that an organization may have experienced a breach.
We incorporated this query logic into a hunt package that covers many logging and EDR systems, including Carbon Black Investigate, CrowdStrike, CrowdStrike LogScale, Elastic, Microsoft Defender and Sentinel, Palo Alto Cortex XDR, QRadar Query, SentinelOne and Splunk. Now, let’s hunt for this activity in System Monitor, known as sysmon, logs in Splunk.
In the screenshot above, we can see the query logic in the “New Search” field. To reiterate, we’re looking for parent or parent image processes ending in “services.exe.” We can also see our regular expression, which is looking for new services that have eight uppercase and lowercase combinations. One result is returned, and we can confirm that it matches the query.
What to do next? There are many avenues for exploration. There is a chance this could be a false positive, so we would need to deconflict and ensure perhaps the organization wasn’t the subject of a penetration test or other legitimate activity. Incident response investigators could take this result in several directions, such as looking for odd network connections or if registry keys were modified. Also, we might want to confirm if Impacket was used to create any new files.
This guide to threat hunting for Impacket and PsExec is also available on video here. We hope this tutorial has opened a door for new possibilities for threat hunts. For those wanting to dive deeper, register for a free Community Edition account of HUNTER471, which contains several free hunt packages along with a comprehensive library of advanced threat hunting packages, detailed analyst notes and proactive recommendations. These resources are designed to strengthen your threat hunting capabilities and keep your organization secure. Happy hunting!
