Open in app

Sign in

Write

Sign in

Detecting Impacket Psexec.py

cY83rR0H1t
4 min readApr 30, 2024

PsExec.py is a Python script within the Impacket collection that enables the remote execution of commands on Windows machines. In simpler terms, it allows you to run programs on another computer over a network, typically by exploiting a shared resource or administrative privileges.

Method 1:

Detecting Impacket psexec.py via event id 4697.

Running processes:
Whenever you run psexec.py it will create random process names.

DVhpdQEd.exe (Random process Name)
qNRQjiuF.exe (Random process Name)
File dropped in C:\Windows\

Captured the logs in the QRadar SIEM tool:-

Service Start Type 0x10: SERVICE_WIN32_OWN_PROCESS - Service that runs in its own process.
Service Type 3: SERVICE_DEMAND_START - Manual startup

Qradar Logs
QRadar alert generated
QRadar rule

Qradar Detection Rule:

Detects execution of Impacket's psexec.py
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event matches Event ID (custom) is any of 4697
and when the event matches Service Filename (custom) matches any of expressions %systemroot%\\[a-zA-Z]{8}\.exe
and when the event matches Service Start Type (custom) is any of 3
and when the event matches Service Type (custom) is any of 0x10
and when the event matches Service Name (custom) matches any of expressions ^[a-zA-Z]{4}$

Sigma Rule:

title: PsExec Impacket Execution
id: 6edbf34a-a28b-4caf-883b-6622bbac2dfc
status: stable
description: detect psexec.py impacket
references:
    - https://github.com/fortra/impacket/blob/master/examples/psexec.py
author: Rohit Jain
date: 2024/04/29
tags:
    - attack.lateral_movement
logsource:
    product: windows
    service: windows
detection:
    event ID: 4697
    selection:
        ServiceFilename|contains:
            - '%systemroot%\\[a-zA-Z]{8}\.exe'
        Service Start Type|contains:
            - 3
        Service Type|contains:
            - '0x10'
        Service Name|contains:
            - '^[a-zA-Z]{4}$'
    condition: selection
false positives:
    - N/A
level: high

Method 2:

Detecting Impacket psexec.py via Event ID 5145.

What is RemCom: RemCom is a small (10KB upx packed) remote shell/ telnet replacement that lets you execute processes on remote Windows systems, copy files on remote systems, process their output and stream it back. It allows the execution of remote shell commands directly with a full interactive console without having to install any client software. On local machines it is also able to impersonate so can be used as a silent replacement for the Runas command.

QRadar Logs
Qradar alert genrated

Qradar Detection Rule:-

Detects usage of Impacket psexec.py
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event matches Event ID (custom) is any of 5145
and when the event matches Relative Target Name (custom) matches any of expressions (?i)remcom_std[err|in|out].*
and when the event matches Share Name (custom) is any of IPC$

Sigma Rule:

title: PsExec Impacket Execution
id: c0ab01f8-91ba-4a43-920d-de5637ab8fb5
status: experimental
description: detect psexec.py impacket
author: Rohit Jain
date: 2024/04/29
tags:
    - attack.lateral_movement
logsource:
    product: windows
    category: process_access
detection:
    event ID: 5145
    selection:
        Relative Target Name|contains:
            - (?i)remcom_std[err|in|out].*
        Share Name|contains:
            - IPC$
    condition: selection
falsepositives:
    - N/A
level: high
Psexec
Impacket
Lateral Movement
Detection
Dfir

--

--

cY83rR0H1t

Written by cY83rR0H1t

102 Followers

MSc CyberSecurity |Cybersecurity researcher | OSCP | CRTO | CRTP |eCPPTv2 | eJPT | Hack The Box player | CTF player |

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams