none
PSEXEC attack RRS feed

  • Question

  • Hello Team,

    Please I want to ask if it is possible for ATA to detect when an attacker launch remote code execution (psexec) against a server on the network. I know ATA detects when such attack is launched against domain controllers, but what if the targeted machine is a member server or workstation, will ATA still detect it?

    Thanks.


    BR, David Sunday

    Thursday, February 1, 2018 9:38 AM

Answers

  • Hi David,

    In ATA 1.9 we will be able to detect some scenarios of suspicious service creation on endpoints. It relies as you proposed, on 7045 events that are forwarded to the gateway. By integrating a SIEM or in case of LWGW by forwarding the events to the DC.

    Friday, February 2, 2018 1:18 PM

All replies

  • No, we only inspect the DC traffic, so we don't have that kind of visibility on the endpoints...
    Thursday, February 1, 2018 10:16 PM
  • Thanks for the response Ofek.

    What if I configure event forwarding from the endpoint to forward event ID 7045 (psexec) to the DC, will ATA be able to read the forwarded event(s)?

    Thanks.


    BR, David Sunday

    Friday, February 2, 2018 11:47 AM
  • Hi David,

    In ATA 1.9 we will be able to detect some scenarios of suspicious service creation on endpoints. It relies as you proposed, on 7045 events that are forwarded to the gateway. By integrating a SIEM or in case of LWGW by forwarding the events to the DC.

    Friday, February 2, 2018 1:18 PM
  • Great! I look forward to seeing that cool feature.

    When is ATA 1.9 going to be GA?

    Thanks Tali.


    BR, David Sunday

    Friday, February 2, 2018 2:24 PM
  • ATA 1.9 is going to be GA by the end of Q1 CY2018 .
    Sunday, February 4, 2018 12:51 PM
  • Thanks team.

    BR, David Sunday

    Tuesday, February 6, 2018 8:55 AM
  • Hello Tali,

    Thanks for your response so far.

    So now that ATA 1.9 is GA, I deployed it in our lab environment and triggered Remote code execution attack against a member server; ATA does not show the suspicious activity on the timeline. Rather, it only show it when I check on the computer object profile as shown below.

    My ask is how do I get timeline or email notification of this suspicious activity on endpoints just the way it works for DCs?


    BR, David Sunday


    Thursday, April 12, 2018 1:23 PM
  • Hi David,

    ATA detects remote code execution only against the DC.

    There is a new detection of Suspicious Service Creation, it detects when a new service that seems suspicious has been created on a domain controller. It is based on event 7045.

    If you are forwarding 7045 events from other machines to a DC, we will be able to alert on it also on those machines.

    Thanks,

    Tali

    Friday, April 13, 2018 1:45 PM
  • Hi Tali,

    I configured "Collector Initiated subscription" on the DC and set destination log to "System" instead of default "Forwarded Events", ATA 1.9 still did not alert this on the console. It only report it on the endpoint's profile under "Logged on Users". I checked in center detection log, nothing for the endpoint except for DCs PSEXEC.

    Event forwarding is active and working.


    BR, David Sunday

    Friday, April 13, 2018 2:22 PM