Blog Post

Threat Hunting for PAExec

 

Executive Summary

System administrators have been extensively using a tool from Microsoft’s SysInternals suite–PsExec for managing devices on their networks. This tool was originally developed by Mark Russinovich to help system admins with remote access to all the systems within an environment. However, the tool has been used during attacks and red teaming engagements. Multiple exploit scripts leveraging PsExec are now part of frameworks such as Metasploit and PowerShell Empire post-exploitation toolkits. In this blog, we discuss threat hunting for one such derivative: PAExec.

PAExec lets you launch Windows programs on remote Windows computers without needing to install software on the remote computer first. PAExec’s versatility and ease of use make it a favorite for attackers. Common Red Team tools like Cobalt Strike and Metasploit each provide PAExec-style capabilities. Attackers often use PAExec to perform lateral movement. In the past, PAExec has been detected in major ransomware attacks such as Shamoon2 and Thanos. This attack tool has also been observed in multiple other campaigns. With the ever-increasing attack surface for a corporate environment, it is crucial to understand the working of PAExec and to have detection for the same.

How PAExec works?

PAExec is a simple but powerful tool that relies on the SMB protocol. The tool copies an executable to the hidden Admin$ share and then uses the Windows Service Control Manager API to start it as a service. The service uses named pipes, which connect back to the PAexec tool. The tool can be run on the local machine or remote machines, and it can allow a user to act as a privileged user.

The PAEXECSVC acts as a service wrapper thread for the PAExec service, which is spawned on the target machine, running with administrative privileges. It runs the specified executable (cmd.exe in our example) on the remote system (note that the binary you wish to execute, must be present on the target system) while it redirects the input/output streams of the process execution back and forth between the hosts via named pipes. Let us understand the behavior of this tools in more detail:

1. The tool first opens an SMB session using the supplied credentials to authenticate (Figure 1). In case it fails to create a file in the ADMIN$ share in Windows, it tries to write the executable file to the IPC$ share.

Figure 1: Unsuccessful attempts at connecting to the ADMIN$ Share

2. As is evident from Figure 1, Tree Connect Response is ACCESS_DENIED, and hence, the tool, then tries to write the file to the default shared folder IPC$ (alias for C:\Windows) over SMB (Figure 2) and uploads an executable file: PAexec-<random_integers>-<Random_OS_Name>.exe. Note that the text highlighted in bold is a random string that is generated on the fly when the tool is executed.

Figure 2: Successful file write within the IPC$ share

3. Next, the tool opens a handle to \\client\pipe\svcctl to communicate with the Service Control Manager (SCM). This allows PAExec to create and start/stop services remotely, among other things. It uses the SVCCTL protocol which goes on top of DCE/RPC calls sent to the svcctl pipe. DCE/RPC itself builds on top of SMB as is illustrated in Figure 3.

Figure 3: Tree connect successful to IPC$ Share

4. Finally, the CreateService function is invoked, using the uploaded PAEXESVC.exe as a service binary. This is shown in Figure 4.

Figure 4: Communication with the SCM

As shown in the image above, the executable makes multiple GetInfo requests/responses from the attacking machine to the victim’s IPC$ share at the time of command execution.

Threat Hunting using Awake

These types of attacks can be very difficult to detect on the network since most of the time such activities involve only local command executions. However, there are a few network-based heuristics that help detect the exploitation phase of this attack.

Understanding these network behaviors are key to identifying the use of the PAExec tool. In fact, the Awake Security Platform provides an abstraction layer to parse SMB named pipe messages and SVCCTL protocol data. This helps an analyst identify the svcctl communications and map PAExec-related network communications between the pairs of devices that are involved.

Figure 5: Detecting PAExec on the Network

As observed in Figure 5, the Awake platform easily detects the PAExec binary which is written on the hidden share in Windows. The user can further dive into other network heuristics related to this activity and observe the malicious nature of the binary which is executed in the target machine.

The Awake platform hunts for tools of this nature using the adversarial modeling language as shown in Figure 6.

Figure 7: Hunting for PAExec using Awake

Situations

And when the Awake platform identifies such suspicious behavior on the network (similar to MITRE ATT&CK ID: T1047), it creates a graphical representation of the attack as shown in Figure 7, demonstrating that a Windows device attempted to access the organization’s domain controller in an attempt to execute PAExec.

Figure 7: Awake Situation with PAExec detected in the environment

Remediation

The network heuristics, as explained above, must be fingerprinted to detect any PAExec-like activity within the environment. To mitigate such attacks, remote execution permissions must only be provided to the system administrators so that the attack surface for such exploitation techniques is minimized.

References

Mihir Shah
Mihir Shah

Threat Researcher