PsExec Hunt Lab
CyberDefenders Network Forensics Lab
Scenario
An alert from the Intrusion Detection System (IDS) flagged suspicious lateral movement activity involving PsExec. This indicates potential unauthorized access and movement across the network. As a SOC Analyst, your task is to investigate the provided PCAP file to trace the attacker’s activities. Identify their entry point, the machines targeted, the extent of the breach, and any critical indicators that reveal their tactics and objectives within the compromised environment.
Question 1
To effectively trace the attacker’s activities within our network, can you identify the IP address of the machine from which the attacker initially gained access?
Answer 1
There is a ton of traffic coming from a specific IP address in the packet file. The main source being 10.0.0.130.
Press enter or click to view image in full size
Question 2
To fully understand the extent of the breach, can you determine the machine’s hostname to which the attacker first pivoted?
Answer 2
Filtering the packets to only include ones from the attackers source. They pushed a session setup request with the username: ssales. From here, in the same packet the PCs name in which they tried to pivot from can be found.
Question 3
Knowing the username of the account the attacker used for authentication will give us insights into the extent of the breach. What is the username utilized by the attacker for authentication?
Answer 3
The same packet as discussed above reveals the username: ssales.
Question 4
After figuring out how the attacker moved within our network, we need to know what they did on the target machine. What’s the name of the service executable the attacker set up on the target?
Answer 4
After the attackers authenticates with the username ssales, they try and use PSEXESVC.exe to potentially pivot or cause more harm.
Question 5
We need to know how the attacker installed the service on the compromised machine to understand the attacker’s lateral movement tactics. This can help identify other affected systems. Which network share was used by PsExec to install the service on the target machine?
Answer 5
Before trying to use PSEXEC.exe, the attacker requests data from a network share called ADMIN$. Which can be seen in the screenshot above.
Question 6
We must identify the network share used to communicate between the two machines. Which network share did PsExec use for communication?
Answer 6
2 different network shares can be seen in the screenshot above. Both of them
Question 7
Now that we have a clearer picture of the attacker’s activities on the compromised machine, it’s important to identify any further lateral movement. What is the hostname of the second machine the attacker targeted to pivot within our network?
Answer 7
After using the filter:
ntlmssp.challenge.target_nameI was able to find packet captures the challenges to the auth service, leading me to find the IP address of the PC and its name: Marketing-PC.
Last updated