Posted on September 14, 2022 at 6:56 PM
Cybersecurity experts have created a new way to implement the Sysinternals PsExec utility enabling the lateral movement in a network through the single Windows TCP port 135 that is less monitored.
New PsExec version bypasses security defenses
PsExec is created to support administrators executing processes remotely on machines within the network without installing a client. Hackers have also started using this tool and have frequently used it in the stage after the exploitation.
The original PsExec runs on the Sysinternals utility suite, and there is an implementation within the Impacket collection on Python classes supporting work with the network protocols. It also supports SML alongside other protocols such as IP, UDP, and TCP that support connections for HTTP, LDAP (Lightweight Directory Access Protocol), and Microsoft SQL Server.
The original and Impacket versions work similarly, and they use an SMB connection. They also rely on port 445, which must be open for communication over the SMB network file-sharing platform.
There is also a management of Windows services, including creating, executing, starting, and stopping via Remote Procedure Calls (RPC). RPC is a protocol that supports high-level communication with the operating system.
For additional functionality, there is a need for port 135. However, the blockage of the port does not bar the threat actor from finalizing the attack. Therefore, port 445 is needed for PsExec to function.
Security defenses mainly focus on blocking port 445, which is needed for PsExec to run commands or files, which works in most cases. However, the work done by these defenders is not enough.
According to Bleeping Computer, researchers at Pentera, a firm providing automated security validation solutions, have implemented the PsExec tool running on port 135. The move has brought changes to the defense sector because blocking port 445 to bar malicious PsExec activity is unreliable for most attacks.
In its report, the senior security researcher at Pentera, Yuval Lazar, argued that it detected that the SMB protocol was used to upload the binary and forward the input and output. The researcher added that the commands were executed using Distributed Computing Environment or Remote Procedure Calls and processes that run despite the output.
The PsExec variation offered by Pentera integrates an RPC connection that allows researchers to launch a service running an arbitrary command without communicating via the SMP port 445 for output or transport.
More security monitoring is needed
The variant offered by Pentera provides a higher chance for activities going undetected within a network. According to Lazar, this was because many organizations apply security mitigation measures depending on the SMB and port 445 while overlooking important other ports like 135.
Lazar has also said that other PsExec implementations needed to use SMB because they were based on file. In contrast, the variant offered by Pentera was fileless, which makes it harder to detect.
The researcher has also said that some security vulnerabilities, such as PetitPotam and DFSCoerce, have triggered concern surrounding RPC risks, and the mitigations have not emphasized monitoring DCE/RPC.
The Pentera report further said that controlling RPC traffic was unpopular in the corporate world, so security defenses cannot detect that RPC can carry a security threat if the network is not monitored.
Will Dormann, a vulnerability analyst at CERT/CC, said that blocking TCP port 445 alone was not enough to prevent malicious activity dependent on the tool.
Hackers have been conducting attacks using PsExec for the longest time. The practice is most popular among ransomware attackers that adopt it to launch file-encrypting malware. One example is the NetWalker ransomware that used PsExec to run a payload on all systems within a domain.
Recently, the Quantum ransomware group used PsExec and WMI to encrypt systems through an attack that lasted for two hours after deploying the IcedID malware. In June, Microsoft published a report detailing an attack through the BlackCat ransomware that used PsExec to distribute ransomware payload.
Another example is the Cisco breach conducted by the Yanluowang ransomware group that used PsExec. In the attack, the ransomware group added values to the registry remotely, permitting the hacker to leverage accessibility features on the Windows sign-in screen. The extent of each of these attacks shows the growing risk surrounding PsExec. It also proves that there is a need for increased monitoring, especially in the corporate sector.