Threat hunting case study: PsExec intel471.com/blog/thre…

PsExec is a command-line utility that is part of Sysinternals, a suite of management tools for Microsoft Windows. PsExec has a variety of capabilities, including allowing administrators to install and execute programs on remote machines and remotely create accounts. It also has been incorporated into threat groups’ tactics, techniques and procedures (TTPs), including replaying hashed passwords and escalating system privileges.

Because it is often present on Windows systems, it is an attractive tool for threat actors since the use of it is less likely to raise security alarms because it’s not inherently malware. This tactic of using native Windows binaries for malicious activity is referred to as “living off the land.” PsExec has been used by at least 30 different threat groups, including Volt Typhoon, a China-based state-sponsored group; Berserk Bear, a Russian state-sponsored group; and most recently Fog ransomware, a financially motivated cybercriminal group that appeared in early 2024.

This post demonstrates a few ways to conduct threat hunts to look for artifacts associated with potentially malicious use of PsExec and similar tools, such as Impacket and Metasploit’s PsExec module.