Many organizations have been shoring up their defenses against ransomware threats lately. With attacks on the rise, a successful breach is now often seen as an inevitability. Though, with the help of the Infection Monkey, you don’t need to wait until ransomware targets you to validate your protection strategy.
There is an entire module in the Monkey focused on ransomware you can go bananas with it on your network. However, this post will focus on testing your preparedness against a specific tactic that’s popular with threat actors today.
Since PsExec lets users execute processes on other machines, it’s extremely useful (to bad actors) when it comes to propagating malware. Proving you can spot this activity and mitigate it should be a crucial part of your security posture.
We’ll walk through using the Monkey to simulate this tactic in your environment so you can validate the response of your tools and teams.
I Don’t See PSExec in The List of Infection Monkey Exploits...
Nope, it doesn’t exist! However, the Infection Monkey can still easily simulate this use case for you. We just need to make use of another Infection Monkey staple for this situation — the SMB exploiter.
The SMB exploiter uses the same methods of upload and execution as PSExec would, with files uploaded to the ADMIN$ share. Additionally, it uses \\client\pipe\svcctl pipe to talk to the Service Control Manager (SCM), which gives the Infection Monkey the ability to create and start/stop services remotely or execute binaries just like PSExec.
The ports used by both are the same as well:
Ready to test if you are vulnerable to a PSExec exploit?
Configure The Infection Monkey
For this use case, you can either use the ransomware scenario or run a custom scenario. Exploiting PSExec is a prevalent ransomware tactic, however. Consequently, if you are specifically interested in validating your security posture against that threat type, we encourage you to use the corresponding option in your testing.
Once you’ve downloaded the latest version of the Infection Monkey, you’re ready to go! The SMB exploit and all other safe exploits are enabled by default. However, there are a few settings you can adjust as an optional step. If you click on the configuration tab in the menu, you can further change the Monkey’s behavior so the simulation better meets your needs.
In the configuration section, you can also feed the Monkey any credentials you’d like it to use in the attack — mimicking a bad actor who got their paws on a set of stolen usernames and passwords. Don’t be scared to use real credentials to simulate a real-world scenario; most attacks start with a successful phishing campaign or another credential leak. This information is only shared with Monkey agents, and you can clear it at any time.
Running The SMB Exploit
Once you pick a scenario and set your configuration, release the Monkey by clicking ‘Run Monkey’!
In the background, the Infection Monkey will attempt to propagate. The hardworking primate will use the SMB exploiter and the provided credentials to brute-force into network shares the same way malicious actors would do with PSExec.
When a machine is breached, the Infection Monkey agent will attempt to open an SMB session with the credentials available to it and access the default share. If successful, it will upload a .exe file, emulating a bad actor distributing malware.
Next, it will attempt to execute the file using an open handle to \\client\pipe\svcctl to talk to the Service Control Manager (SCM). If left unprotected, the Monkey will gain the ability to create and start/stop services remotely, among other things—confirming you are vulnerable to a PSExec exploit scenario.
The SVCCTL packets seen in the screenshot are using an SCM Remote Protocol, which goes on top of RPC, which then relies on SMB.
PSExec’s licensing doesn’t allow it to be distributed as a part of open source projects like the Infection Monkey. Because of this, we take a slightly different approach, and It’s important to know there are some minor differences between Infection Monkey’s SMB exploiter and the inner working of PSExec:
- SMB exploiter uploads the Infection Monkey binary whereas PSExec uploads PSExec.exe from sysinternals
- There are slight differences in call sequence and functions called—SMB exploiter calls OpenSCManagerW while PSExec doesn’t
- SMB exploiter starts by opening srvsvc named pipe to enumerate shares on the server
Though the fundamentals are the same and more than enough to test for a general PSExec exploit vulnerability, the discrepancies in call sequence and the functions called might trigger your behavioral anti-virus tools differently.
Reviewing Your Results
If the Infection Monkey successfully used the SMB exploit in your environment, you’ll see the details in either your general security or ransomware report. If it appears as an identified threat, it means your current environment is susceptible to lateral movement via SMB protocol. These results are a good indication of how far a malicious actor could spread in your network with PsExec if he got access to the same credentials.
With ransomware on the rise, it’s recommended you address this security gap quickly if discovered. Solutions that limit lateral movement and place granular security controls around communication flows can go a long way in helping you stop this tactic and break the kill chain in a ransomware attack.
Whatever remediation approach you choose, be sure to rerun the Monkey after your changes. It will help you validate the strategy you select so you can ensure you’re ready when a real attack occurs.