Threat Hunting for PAExec
System administrators have been extensively using a tool from Microsoft’s SysInternals suite–PsExec for managing devices on their networks. This tool was originally developed by Mark Russinovich to help system admins with remote access to all the systems within an environment. However, the tool has been used during attacks and red teaming engagements. Multiple exploit scripts leveraging PsExec are now part of frameworks such as Metasploit and PowerShell Empire post-exploitation toolkits. In this blog, we discuss threat hunting for one such derivative: PAExec.
PAExec lets you launch Windows programs on remote Windows computers without needing to install software on the remote computer first. PAExec’s versatility and ease of use make it a favorite for attackers. Common Red Team tools like Cobalt Strike and Metasploit each provide PAExec-style capabilities. Attackers often use PAExec to perform lateral movement. In the past, PAExec has been detected in major ransomware attacks such as Shamoon2 and Thanos. This attack tool has also been observed in multiple other campaigns. With the ever-increasing attack surface for a corporate environment, it is crucial to understand the working of PAExec and to have detection for the same.
PAExec is a simple but powerful tool that relies on the SMB protocol. The tool copies an executable to the hidden Admin$ share and then uses the Windows Service Control Manager API to start it as a service. The service uses named pipes, which connect back to the PAexec tool. The tool can be run on the local machine or remote machines, and it can allow a user to act as a privileged user.
The PAEXECSVC acts as a service wrapper thread for the PAExec service, which is spawned on the target machine, running with administrative privileges. It runs the specified executable (cmd.exe in our example) on the remote system (note that the binary you wish to execute, must be present on the target system) while it redirects the input/output streams of the process execution back and forth between the hosts via named pipes. Let us understand the behavior of this tools in more detail:
1. The tool first opens an SMB session using the supplied credentials to authenticate (Figure 1). In case it fails to create a file in the ADMIN$ share in Windows, it tries to write the executable file to the IPC$ share.
Figure 1: Unsuccessful attempts at connecting to the ADMIN$ Share
2. As is evident from Figure 1, Tree Connect Response is ACCESS_DENIED, and hence, the tool, then tries to write the file to the default shared folder IPC$ (alias for C:\Windows) over SMB (Figure 2) and uploads an executable file: PAexec-<random_integers>-<Random_OS_Name>.exe. Note that the text highlighted in bold is a random string that is generated on the fly when the tool is executed.
Figure 2: Successful file write within the IPC$ share
3. Next, the tool opens a handle to \\client\pipe\svcctl to communicate with the Service Control Manager (SCM). This allows PAExec to create and start/stop services remotely, among other things. It uses the SVCCTL protocol which goes on top of DCE/RPC calls sent to the svcctl pipe. DCE/RPC itself builds on top of SMB as is illustrated in Figure 3.
Figure 3: Tree connect successful to IPC$ Share
Figure 4: Communication with the SCM
As shown in the image above, the executable makes multiple GetInfo requests/responses from the attacking machine to the victim’s IPC$ share at the time of command execution.
These types of attacks can be very difficult to detect on the network since most of the time such activities involve only local command executions. However, there are a few network-based heuristics that help detect the exploitation phase of this attack.
Understanding these network behaviors are key to identifying the use of the PAExec tool. In fact, the Awake Security Platform provides an abstraction layer to parse SMB named pipe messages and SVCCTL protocol data. This helps an analyst identify the svcctl communications and map PAExec-related network communications between the pairs of devices that are involved.
Figure 5: Detecting PAExec on the Network
As observed in Figure 5, the Awake platform easily detects the PAExec binary which is written on the hidden share in Windows. The user can further dive into other network heuristics related to this activity and observe the malicious nature of the binary which is executed in the target machine.
And when the Awake platform identifies such suspicious behavior on the network (similar to MITRE ATT&CK ID: T1047), it creates a graphical representation of the attack as shown in Figure 7, demonstrating that a Windows device attempted to access the organization’s domain controller in an attempt to execute PAExec.
Figure 7: Awake Situation with PAExec detected in the environment
The network heuristics, as explained above, must be fingerprinted to detect any PAExec-like activity within the environment. To mitigate such attacks, remote execution permissions must only be provided to the system administrators so that the attack surface for such exploitation techniques is minimized.
- MITRE ATT&CK ID: S0029
- MITRE ATT&CK ID: T1021
- MITRE ATT&CK ID: T1036
- MITRE ATT&CK ID: T1047
If you liked what you just read, subscribe to hear about our threat research and security analysis.
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…