Under Review
over 1 year ago

Live Discover Query - Sysinternals

  REVIEWED by Sophos 

We all know how useful the tools from Sysinternals are.  Thanks Mark!  Clearly they are so useful that the crooks use them too, in particular, PsExex is a favorite.

When these tools are run you have to accept a Eula, this state is maintained in a registry key, i.e.

[HKEY_CURRENT_USER\SOFTWARE\Sysinternals\PsExec]
"EulaAccepted"=dword:00000001

If you run the tool and decline the Eula then the registry key for the tool isn't created, therefore you can make the assumption that if the key exists then there is a pretty good bet that the tool has been run.  With that assumption in mind, you could find all computers where PsExec has run:

select r.name, r.path, datetime(mtime,'unixepoch') as ModifiedTime from registry as r where r.key like 'HKEY_USERS\%\SOFTWARE\Sysinternals' and r.name ='PsExec';

Of course, there is always the chance that the key is cleared after use or manually created but it maybe be of use and provide a little insight.

To see the other tools run on the selected computers, you can just run:

select r.name, r.path, datetime(mtime,'unixepoch') as ModifiedTime from registry as r where r.key like 'HKEY_USERS\%\SOFTWARE\Sysinternals'

The output might look something like the following:
+------------------+-------------------------------------------------------------------------------------------------+---------------------+
| name             | path                                                                                            | ModifiedTime        |
+------------------+-------------------------------------------------------------------------------------------------+---------------------+
| AutoRuns         | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\AutoRuns         | 2020-04-24 23:21:53 |
| DbgView          | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\DbgView          | 2020-03-31 14:26:04 |
| LiveKd           | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\LiveKd           | 2019-12-30 23:28:26 |
| Movefile         | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\Movefile         | 2019-12-30 23:28:26 |
| PendMove         | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\PendMove         | 2019-12-30 23:28:26 |
| Process Explorer | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\Process Explorer | 2020-05-02 10:12:27 |
| Process Monitor  | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\Process Monitor  | 2020-05-02 10:12:11 |
| PsExec           | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\PsExec           | 2020-04-20 15:55:39 |
| PsPing           | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\PsPing           | 2019-12-30 23:28:26 |
| PsSuspend        | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\PsSuspend        | 2020-02-20 14:05:22 |
| RootkitRevealer  | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\RootkitRevealer  | 2019-12-30 23:28:26 |
| sigcheck         | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\sigcheck         | 2020-04-19 15:20:27 |
| Strings          | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\Strings          | 2019-12-30 23:28:26 |
| Winobj           | HKEY_USERS\S-1-5-21-755344674-3799181900-1998733734-1001\SOFTWARE\Sysinternals\Winobj           | 2020-04-20 15:28:20 |
+------------------+-------------------------------------------------------------------------------------------------+---------------------+

The next question might be, who or what ran the tool?  In that case we can turn the data recorded by Sophos to find the parent process details.  For example:

select sophosPID, datetime(processStartTime,'unixepoch') as ProcessStartTme, sha256, cmdline ,sid, sessionid from sophos_process_journal where sophospid in (select parentsophospid from sophos_process_journal as spj join sophos_registry_journal as srj on spj.sophospid=srj.sophospid where srj.keyname like '%\SOFTWARE\Sysinternals\PsExec');

This might return for example multiple results:

Here we can see that the parent process of a process that created the key (psexec) was powershell.exe, by the user S-1-5-21-755344674-3799181900-1998733734-1001 and performed in an interactive session.  The sha256 will confirm this was PowerShell and the other one was svchost.

E.g. 

This query considers that it could be created in multiple locations/processes. So the subquery for details might be worth running on computers with results:

select * from sophos_process_journal as spj join sophos_registry_journal as srj on spj.sophospid=srj.sophospid where srj.keyname like '%\SOFTWARE\Sysinternals\PsExec')

I can see the case however where the file that launch PsExec might be well worth a look if it's malware bundling the tool and launching it directly.

Hope it's useful, it might also highlight places where Application Control to block such tools could be helpful.

Jak