PSExec is part of the Sysinternals suite and is seen as a lightweight replacement for Telnet that allows you to execute processes on other systems. PsExec's most powerful uses include launching interactive command prompts on remote systems and remote-enabling tools (such as LPCONFIG) that otherwise do not have the ability to show information about remote systems. A remote attacker can use this tool as part of their process for propagating from host to host.
- A remote attacker infects an internal host in a victim’s network via an unspecified vulnerability.
- From the infected host, the attacker may download the Sysinternals suite and unpack this to retrieve the PSExec executable.
- The attacker utilizes PSExec to execute commands on the remote host.
- The remote machine responds with the results of the command.
The remote attacker must have access to the internal host.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access to the local victim host. Ensure that all software on internet-facing hosts is up-to-date.