In this lab, we investigate a network compromise flagged by an Intrusion Detection System (IDS) alert indicating suspicious lateral movement activity involving PsExec. PsExec is a powerful, legitimate administrative tool often exploited by attackers to execute commands remotely and move laterally across a network. Our task as SOC analysts is to analyze the provided PCAP file to trace the attacker’s activities, identify their entry point, and understand their methods of traversal and compromise.
The investigation begins by identifying the initial access point, where the attacker leveraged SMB (Server Message Block) protocol over TCP to gain a foothold on the network. SMB, a protocol widely used for file sharing and resource access, becomes a key focus as we dissect its role in the attack. The attacker’s actions included negotiating SMB sessions, utilizing administrative shares such as ADMIN$, and installing the PsExec service executable, PSEXESVC.exe, on a compromised machine to enable remote execution.
As the investigation progresses, we uncover the attacker’s lateral movement tactics, including the use of compromised credentials and connections to the special IPC$ share for inter-process communication. We also identify the hostname of the compromised machine and trace a failed attempt to pivot further to another machine, shedding light on the attack’s extent and limitations. By analyzing SMB session data and NTLM authentication processes, we piece together the attacker’s methodology and highlight key indicators of compromise (IoCs).