In this blog post, Winexe will be used. Winexe is a GNU/Linux based application that allows users to execute commands remotely on WindowsNT/2000/XP/2003/Vista/7/8 systems. It installs a service on the remote system, executes the command and uninstalls the service. Winexe allows execution of most of the windows shell commands.
(filename = 'ahexec','winexesvc.exe') && (service = 139)
(filename.src = 'winexesvc.exe')
Analysing the endpoint, you can see the winexesvc.exe process running from task manager:
As well as the service that was installed via SCM over the network:
This service creation also creates a log entry in the System event log as event ID 7045:
This means if you were ingesting logs into NetWitness, you could create an application rule to trigger on Winexe usage with the following logic:
(reference.id = '7045') && (service.name = 'winexesvc')
We can also see the named pipe which Winexe uses by executing Sysinternals pipelist tool:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.