Follow

Suspicious Remote Execution

Attack Behaviors Covered/Model Purpose

Suspicious Remote Execution (SRE) is designed to identify attackers utilizing remote execution tools like PSEXEC, smbexec, winexec, remote scheduler (AT), wmiexec, etc. The focus of this algorithm is on attacker behaviors which allow remote execution using RPC. It looks for the foundational underlying activity of these remote execution mechanisms regardless of how they are executed (e.g. native tools, custom tools, in-memory, etc.)

 

By using unsupervised local machine learning to understand the use of remote execution via RPC in an individual environment, the detection model is able to discover suspicious RPC events. As a consequence, the model acts similar to a security analyst given the sole responsibility of understanding remote execution use within your environment, auditing use of remote execution, and escalating an alert when something unusual is observed.

 

Why is this coverage important?

Once attackers have a foothold within an environment through a single compromised system, they will look to expand their access within the network using credentials stolen from the compromised system.

 

This expansion of the attack within the environment will primarily rely on remote execution options that are available to the attacker. These methods are preferred over exploitation of vulnerabilities since they can use existing infrastructure and are much less complex, resulting in a higher chance of success. Attackers can opt to utilize native tools (live off the land), custom built tools, and/or in-memory tools. Remote execution using these approaches can add a layer of stealth, since these types of activities can be difficult to monitor on endpoints and are not uncommon for system administrators and/or management solutions to use within environments.

 

The detection model uses local machine learning to build an understanding of typical/authorized activities, to better distinguish activities which are unusual for to the environment. This absolves your analyst team from the tedious task of auditing all remote execution activity within your environment.

Contents of the Detection Page

Screen_Shot_2018-02-14_at_1.13.16_PM.png

Red with Exclamation Mark:

Unusual element within an activity as compared to learned behavior

UUID

The RPC UUID for which a detection is occurring

Suspicious Sessions:

The number of suspicious sessions seen from the source using a given UUID

SMB Named Pipe:

Identifies what SMB named pipe was used. This field is unavailable if SMB was not used for RPC activity (e.g. WMI remote execution activity).

Executied Function

The RPC function(s )that were called as part of the suspicious remote execution event.

Normal Account/Source Host/Target Host

The accounts, source hosts, or targets that are typically associated with the RPC UUID to be used in comparison with the unusual element noted by the red exclamation mark.

 

How to Interpret Detection Details

This detection uses local learning to identify the following normal behaviors, specific to your environment:

  • Users and the systems they normally perform remote execution from
  • Clients and the servers they normally perform remote execution against
  • Servers and the users that normally perform remote execution against them

Additional logic occurs in the background. After a baseline of local learning on these parameters is built, anomalies to these learned activities will be alerted on. Baselining takes approximately 10 days. Learning is ongoing. Authorized behavior that may not have taken place during the initial leraning period but happens frequently enough will generate detection events at first but will eventually be learned by the algorithm as normal. The learning mechanism is constructed to slowly forget old behaviors that do not recur.

 

Different remote execution tools will use different combinations of RPC over SMB and pure DCERPC depending on how they are imlemented. Consequently, the presence or lack of SMB may be a critical consideration when looking at the detection.

 

Many of the most common tools used will have a consistent set of SMB Named Pipe (if relevant), RPC UUID and relevant execution related RPC function calls. With that in mind, the following table presents these details for frequently encountered tools to aid in assessment of the source of activity in a Suspicious Remote Execution detection:

 

Tool

SMB Named Pipe(s)*

RPC UUID(s)

Relevant RPC Function Call(s)

Sysinternals PSEXEC

n/a

Service Control Manager

CreateService (opnums 12,24,44 or 64)

StartService (opnums 19 or 31)

Impacket PSEXEC

Default: svcctl

Service Control Manager

CreateService (opnums 12,24,44 or 64)

StartService (opnums 19 or 31)

Metasploit PSEXEC

 

 

 

Impacket smbexec

Default: svcctl (SMBv1)

Service Control Manager

CreateService (opnums 12,24,44 or 64)

StartService (opnums 19 or 31)

Impacket winexec

 

 

 

Impacket wmiexec

n/a

IWbemServices

ExecMethod (opnum 24)

Impacket wmipersist

n/a

IWbemServices

PutInstance (opnum 14)

Windows AT/

Impacket atexec

ATSVC

ITaskSchedulerService

JobAdd (opnum 0)

*SMB Named Pipe for RPC activity only – secondary non-RPC named pipes may also be present

 

Potential Detections of Authorized Behavior

  • Administrators bouncing services
  • Administrators using new tools/techniques
  • Administrators working on a new system/set of systems
  • New endpoint management servers

Authorized behavior potentially may be detected when legitimate administrators change the nature of their work, such as access new systems or existing systems in a new way, or when a new systems management tool that utilizes remote execution capabilities is implemented within an environment.

 

However, administrative credentials can often be used by attackers, both from their normal system and from other compromised systems. Consequently, even well-known administrative accounts performing remote execution from their expected hosts but accessing new systems or systems in a new way should be considered for validation.

 

Response Steps

  • Determine whether the internal host in question should be using remote execution RPCs
  • Determine whether the user account flagged in the detection is one with administrative privileges and whether that administrator logged into the host which triggered the detection
  • Determine whether the user account flagged in the detection is a service account associated with a specific product and whether that product should be running on the host which triggered the detection
  • Determine which process on the internal host is initiating the requests that includes the RPC request; in Windows systems, this can be done using a combination of netstat and tasklist commands
  • Verify that the process should be running on the internal host and whether the process is configured correctly
Was this article helpful?
1 out of 1 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.