[New WTFBin]: PsExec v2.30

[umairqamar]

• Contributor Name: Umair Qamar @umairq_
• Application/Executable: PsExec v2.30
• WTF Behavior Description: PsExec v2.30 client now drops a key into file protected with an administrator-only security descriptor with a name formatted as PSEXEC-.key. This behaviour is similar to a ransomware dropping a key file. Hive Ransomware, for example is known for dropping .key files (https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/)
• Link to Documentation of Behavior: https://techcommunity.microsoft.com/t5/sysinternals-blog/sysmon-v13-01-and-psexec-v2-30/ba-p/2054904
• Please provide any images for additional evidence. Screenshot of Windows event id 5145 (A network share object was checked to see whether client can be granted desired access)

[mttaggart]

Hey, @umairqamar, this looks really good! Could I possibly also trouble you for a file write event screenshot?

[umairqamar]

Hey @mttaggart I can not find FileWrite events related to this in my logs, the .key file was only seen in event id 5145.

[mttaggart]

@umairqamar Without a file write, I don't know that I am comfortable with this description. I feel like we don't have the full story on this one. I'm closing this for now, but please feel free to reopen later with more evidence!

[umairqamar]

The .key file is written on target system in root of Windows directory. The file is created and gets deleted subsequently, you can look the file createtion and deletion in USN journal. This behaviour is mentioned here:

https://aboutdfir.com/the-key-to-identify-psexec/ https://youtu.be/oVM1nQhDZQc?t=946