Skip to content

CyberDefenders

An alert from the Intrusion Detection System (IDS) flagged suspicious lateral movement activity involving PsExec. This indicates potential unauthorized access and movement across the network. As a SOC Analyst, your task is to investigate the provided PCAP file to trace the attacker’s activities. Identify their entry point, the machines targeted, the extent of the breach, and any critical indicators that reveal their tactics and objectives within the compromised environment.

You Can Try : https://cyberdefenders.org/blueteam-ctf-challenges/psexec-hunt/

Identification

  • Incident Title : PsExec Hunt Lab

  • Date/Reported : 03-09-2025

  • Reported by  : Task Trainee WE INNOVATE

  • Description  : - During my training at WE INNOVATE, I was assigned a forensic analysis task involving the file psexec-hunt.pcapng. An alert generated by the Intrusion Detection System (IDS) flagged suspicious lateral movement activity associated with the use of PsExec. This suggested potential unauthorized access across multiple hosts within the network.

  • Investigator : Abdelwahab Ahmed Shandy

Acquisition

  • Evidence Collected: Packet Capture File (psexec-hunt.pcapng)

  • Tool Used: Wireshark

Preservation

  • I made a copy of the original file to maintain integrity :
sansforensics@as: ~/Downloads
$ cp psexec-hunt.pcapng Task-Day2.pcapng
sansforensics@as: ~/Downloads
$ md5sum psexec-hunt.pcapng 
3b009a00b288eb0558f8e91879aeb4f6  psexec-hunt.pcapng
sansforensics@as: ~/Downloads
$ md5sum Task-Day2.pcapng 
3b009a00b288eb0558f8e91879aeb4f6  Task-Day2.pcapng

  • Hash (MD5): 3b009a00b288eb0558f8e91879aeb4f6

  • Preservation: A verified copy of the original PCAP file was maintained to ensure forensic integrity.

Analysis :

  • Simply put, we're required to check if an attack occurred using a tool called PsExec.

  • First, we need to understand what PsExec is:

  • PsExec is a tool from the Sysinternals suite (owned by Microsoft).

  • Its function: It allows you to run commands or programs remotely on other devices on the network without opening an RDP session or logging into the device directly.

The first thing we can start with when we do an analysis in Wireshark :

1️⃣ Statistics > Protocol Hierarchy

  • Here, you'll see all the protocols present in the PCAP and the percentage of each.

  • Reason: To see if there are any abnormal protocols or a high percentage of a specific protocol (such as SMB) - this could indicate that the attack was carried out through it

  • 2️⃣ Statistics > Conversations

  • Here, you'll see the conversations (connections) between devices: who talked to whom, the size of the data, and the number of packets.

  • Reason: To help you identify which two devices are showing suspicious activity (such as an attacker communicating with multiple devices via SMB).

3️⃣ Statistics > Endpoints

  • Here, you'll see all the devices (IP addresses or MACs) that appeared in the capture.

  • Reason: To identify the primary devices in the attack - the device that initiated the communication (the attacker) and the affected devices (the victims).

  • The highest traffic is on IP: 10.0.0.130 and it may be the device that was initially hacked by the attacker , But I want to make sure or why it is really him ؟

First : To effectively trace the attacker's activities within our network, can you identify the IP address of the machine from which the attacker initially gained access?

Can I ask a few questions:

  • Who initiated the communications? (Initiation) :

  • tcp.flags.syn == 1 && tcp.flags.ack == 0 && (ip.src == 10.0.0.130)

  • The filter shows you all the connections that the device 10.0.0.130 initiated (sent a SYN the first time to open a connection), and this is so that: you can prove that 10.0.0.130 is the attacker → because it is the one that initiates SMB sessions with the other devices (10.0.0.133, 10.0.0.131).

1) can you identify the IP address of the machine from which the attacker initially gained access?

  • 10.0.0.130

📝 Why is 10.0.0.130 the attacker (the point from which the intrusion began)? Conversations : -The largest connection was between 10.0.0.130 ↔ 10.0.0.133 (over 38,000 packets) , The next connection was with 10.0.0.131. -This means that 10.0.0.130 is communicating with the other devices. Endpoints : -The highest traffic volume was at 10.0.0.130 → This indicates that it is the active device (performing operations on more than one target). -TCP SYN Filter : -Using the filter: tcp.flags.syn == 1 && tcp.flags.ack == 0 && ip.src == 10.0.0.130 -We find that 130 is the one initiating connections to other devices → evidence that it is the attacker, not the victim.

Second : To fully understand the extent of the breach, can you determine the machine's hostname to which the attacker first pivoted? :

  • 📝 From the analysis:

  • We saw that the attacker 10.0.0.130 first contacted device 10.0.0.133 (this was the first victim it moved to).

  • tcp.flags.syn == 1 => This means the packet contains the SYN flag (the first step in the TCP connection establishment process – the Handshake).

  • tcp.flags.ack == 0 => This means that this packet does not contain an ACK, and therefore, it is only the SYN that initiates the session.

  • ip.src == 10.0.0.130 => This packet originates from device 10.0.0.130.

  • Now we need to find out the hostname of device 10.0.0.133 :

  • The first IP was 10.0.0.133 :

  • I can get hostname :

    • i used filter : ip.addr== 10.0.0.133 || nbns || dns , Nothing important appeared

    • i used filter : (ip.src == 10.0.0.130) && ntlmssp :

NTLM Security Support Provider (NTLMSP) :It is part of the NTLM Authentication protocol.

It is used in the negotiation and authentication process between the client and the server.

You can think of it as the messages or packets that transmit the authentication steps.

📌 The relationship between SMB and NTLMSSP:

  • SMB (Server Message Block) is the protocol that allows file, printer, and IPC sharing between devices.

  • When an attacker uses a tool like PsExec or attempts to make a lateral move, they need to authenticate to access Admin$ or IPC$.

  • Then, the hostname of the device the attacker has moved to will be displayed.

In SMB2 → Session Setup Response, we found NTLMSSP_CHALLENGE :

  • This is the hostname of the device the attacker attempted to pivot on.

2) can you determine the machine's hostname to which the attacker first pivoted?

  • Sales-PC

Third : Knowing the username of the account the attacker used for authentication will give us insights into the extent of the breach. What is the username utilized by the attacker for authentication?

The username appears in the NTLMSSP_AUTHENTICATE phase of the SMB Session Setup.

That is, after (10.0.0.133 = SALES-PC) responds with the NTLMSSP_CHALLENGE message, the attacking machine (10.0.0.130) sends the NTLMSSP_AUTHENTICATE message.

The attacker's goal was to gain higher powers, and this is what he actually obtained :

  • Its presence with the target hostname (SALES-PC) confirms that it is Local Admin.

  • Also, the PsExec tool only runs with Admin rights.

3) What is the username utilized by the attacker for authentication?

  • ssales

Fourth: After figuring out how the attacker moved within our network, we need to know what they did on the target machine. What's the name of the service executable the attacker set up on the target? :

I Can Get This : File > Export Object > SMB

Or Filter on SMB Trafiic with Executable Files :

Role on Packets on type :

SMB2 CREATE Request
SMB2 WRITE Request
SMB2 CLOSE Request

4) After figuring out how the attacker moved within our network, we need to know what they did on the target machine. What's the name of the service executable the attacker set up on the target?

  • psexesvc

Fifth : We need to know how the attacker installed the service on the compromised machine to understand the attacker's lateral movement tactics. This can help identify other affected systems. Which network share was used by PsExec to install the service on the target machine?

  • Before we answer a question like this, we need to understand:
Share Name Share Type Description
C$ Hidden Share The full copy of the C: Drive on the device. (Access Administrator)
D$ Hidden Share The full copy of the D: Drive.
Admin$ Hidden Share Essential system files, such as the Windows folder.
IPC$ Hidden Share Inter-Process Communication (IPC), used for communication between processes and remote control without accessing files.

The $ in the name means that the share is hidden, it will not be visible to the regular user when browsing the network, but it is available to administrators (Admins).

  • i use filter : smb2.tree

\10.0.0.133\IPC$ appears = Initial connection + authentication phase. \10.0.0.133\ADMIN$ appears = Actual service cloning and installation phase

5)Which network share was used by PsExec to install the service on the target machine ?

  • ADMIN$

Sixth: 6) We must identify the network share used to communicate between the two machines. Which network share did PsExec use for communication?

  • If we look at the SMB traffic after activating the service, you will find connections such as:

  • PsExec used the IPC$ share to communicate between the attacker machine (10.0.0.130) and the target machine (10.0.0.133).

  • In the PCAP, we saw:

  • Frame 134 → Tree Connect Request \10.0.0.133\IPC$

  • Frame 135 → Tree Connect Response (the server accepted the connection).

  • \=> This proves that the attacker opened a communication channel on the IPC$ share.

6) We must identify the network share used to communicate between the two machines. Which network share did PsExec use for communication?

  • IPC$

Seventh: Now that we have a clearer picture of the attacker's activities on the compromised machine, it's important to identify any further lateral movement. What is the hostname of the second machine the attacker targeted to pivot within our network?

i can open in tap : Statistics > Endpoints

  • Actually we can doubt 10.0.0.131 or 10.0.0.132

  • In PCAP (Wireshark), review SMB traffic:

  • If you find a Tree Connect Request (in the SMB protocol),

  • you will find that PsExec is likely using ADMIN$ to download the PSEXESVC.exe file to the victim's machine and run it.

  • Actually, let what happened in this device :

  • We want to get the hostname , using filter : smb2 || ntlmssp && (ip.addr == 10.0.0.131)

🔎 Why does this point to the second hostname?

  • The IP address 10.0.0.131 is the new device the attacker is trying to pivot to from 10.0.0.130.

  • If you open the SMB2 Session Setup Response or NTLMSSP_CHALLENGE in the same packet or the next one, you will find:

  • Target Name = MARKETING-PC

  • Or in the Target Info section under NTLM challenge.

Now that we have a clearer picture of the attacker's activities on the compromised machine, it's important to identify any further lateral movement. What is the hostname of the second machine the attacker targeted to pivot within our network?

  • Marketing-PC

📝 Indicators of Compromise (IOCs)

# Indicator Type Value / Details Explanation
1 Attacker IP 10.0.0.130 The machine from which the attacker initially gained access.
2 First Pivot Hostname SALES-PC (10.0.0.133) The first host the attacker pivoted to.
3 Username Used ssales The account used by the attacker for authentication over SMB.
4 Service Executable psexesvc.exe The malicious service executable set up on the target by PsExec.
5 Share (Service Install) ADMIN$ The administrative share PsExec used to install the service.
6 Share (Communication) IPC$ The network share PsExec used for communication between machines.
7 Second Pivot Hostname MARKETING-PC (10.0.0.131) The second machine the attacker targeted for lateral movement.

✍️ Prepared by: Abdelwahab A. Shandy

📅 Date: 03-09-2025