Scenario

An alert from the Intrusion Detection System (IDS) flagged suspicious lateral movement activity involving PsExec. This indicates potential unauthorized access and movement across the network. As a SOC Analyst, your task is to investigate the provided PCAP file to trace the attacker’s activities. Identify their entry point, the machines targeted, the extent of the breach, and any critical indicators that reveal their tactics and objectives within the compromised environment.

**https://cyberdefenders.org/blueteam-ctf-challenges/psexec-hunt/**

First, let’s understand what PsExec is . it’s a command-line tool that allows users to run programs on remote systems via the SMB protocol.

But how does it work?

1. It establishes an SMB network connection to the target system using administrator credentials.
2. It pushes a copy of a receiver process named PSEXESVC.EXE to the target system’s ADMIN$ share.
3. It launches PSEXESVC.EXE, which sends input and output to a named pipe.

If you would like to read more about the tool, visit these sites:

• https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
• https://www.mindpointgroup.com/blog/lateral-movement-with-psexec

Before diving into the questions, we know from the information that we’ll be dealing with the SMB protocol. I’ll explain it briefly, but if you already know how it works, feel free to skip to the questions.

SMB

1. Initiation of SMB Session

• When a client (like a computer or user) wants to access resources on a server using SMB, it starts an SMB session.
• The client sends a request to the server to initiate a connection and requests access to a shared resource.

2. Session Setup and Negotiation

• The server responds to the client by indicating the SMB protocol version and capabilities it supports.