Adding more remote execution mechanisms to the artifacts

[im4kv]

Hi, I suggest adding more artifacts in definitions for remote execution tools. Currently, I see "PsExec" as one of them in both Windows and Server directories but we could have its alternatives like "PaExec" (the open-source equivalent of it which I have seen in previous investigations), WinRM (Windows Remote Management Mechanisms) and others. Generally, adding them could help improve the detection of adversary tools and techniques.

@scudette, I think it could be added using the current definition format.

[scudette]

This sounds like a great idea. There are a number of approaches

1. We could just like for the exe name - very easy to bypass but we can do it on the server.
2. We could run a yara scan on all new services - this is very solid even for renamed services and can be a client side artifact.

With the yara option it would be awesome to be able to update the signature all the time so maybe we can fetch the sig from the server's public directory so we can keep this updated?

[im4kv]

Thanks, Regarding the first approach, We could use it for tools with static service name(Like WinRM). But as you mentioned the majority of tools could have an attacker-specified service name that we could check with Yara to prevent evasion. Implementing server-side public directory for Yara rules is a perfect fit for this feature, coz, we could check other forms of persistence/tools in addition. I'm thinking about extending the detection mechanisms for current APTs known-toolsets also. specifically in the persistence and lateral movement part.