Category Archives: Anti-Forensics

PsExec going places…

Posted on by

Update 2018-07-19

Today I came across an old post from @mbromileyDFIR who wrote about it in 2016 so adding link as it’s a good article explaining forensic artifacts associated with running psexec

Old Post

As a threat hunter you surely know that PSEXESVC.EXE is one of these nice signature-friendly artifacts that you will want to catch with your process/service creation rules. It’s one of the easiest way to spot the lateral movement.

Unfortunately, there is a catch.

You see, for a number of years now the psexec has that nice command line argument ‘-r’ that allows you to create a service name as per your liking; this affects the artifacts it creates on the remote system.

You can test it by running the following command:

PsExec.exe -r foobar \\localhost cmd.exe

The tool will drop c:\WINDOWS\foobar.exe and will start the service called ‘foobar’:

The flag will cause the named pipes used by Psexec (-stdin, -stdout and -stderr) to be renamed as well (I forgot to mention it in the original post, thx to @spinning_monkey for reminding me).

I guess the original idea behind the introduction of this flag was to allow multiple psexec versions (or instances) to co-exist on the remote system, but the side-effect is that you can’t detect psexec being present by relying on just a service / file name only.

Beyond good ol’ Run key, Part 68

Posted on by

Modification of Software\Classes\CLSID branches is a well-known trick used by malware for ages. It is important to recognize though that there are many variants of the trick – the keys are used by different applications and libraries, and for really different purposes – there is no end to possibilities they offer to malware authors.

Here’s a probably less-known CLSID branch that could be used to execute malware anytime you press WIN+E to open a new Windows Explorer window.

Example for calculator (tested on win10):

HKCU\Software\Classes\CLSID\
{52205fd8-5dfb-447d-801a-d0b52f2e83e1}\
shell\opennewwindow\command
"DelegateExecute"=""
@="c:\\windows\\system32\\calc.exe"

Update

There is a side-effect to this setting; launching explorer.exe – whether via WIN+E or directly via clicking explorer.exe inside Windows Explorer, or running it via WIN+R will always end up with calc.exe being executed. The malware would need to handle these situation with an appropriate action.