Distribution from remote location

Hunt Hypothesis

Adversaries may use remote execution tools like PsExec to distribute malware across a network, leveraging these tools to move laterally and execute payloads undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities and limit the spread of malicious payloads.

KQL Query

AlertInfo
| where Title == "File dropped and launched from remote location"
| join AlertEvidence on $left.AlertId == $right.AlertId
// Looking for tools involved in potential distribution of ransomware
| where FileName hasprefix "psexe" or (FileName matches regex @"^([a-z0-9]){7}\.exe$" and FileName matches regex "[0-9]{1,5}")
or ProcessCommandLine has "accepteula"

Analytic Rule Definition

id: 4e070afe-7a9b-4313-a964-c3168fffc1e2
name: Distribution from remote location
description: |
  This query checks for alerts related to file drop and remote execution where the file name matches PsExec and similar tools used for distribution
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertInfo
  - AlertEvidence
tactics:
- Ransomware
query: |
  AlertInfo
  | where Title == "File dropped and launched from remote location"
  | join AlertEvidence on $left.AlertId == $right.AlertId
  // Looking for tools involved in potential distribution of ransomware
  | where FileName hasprefix "psexe" or (FileName matches regex @"^([a-z0-9]){7}\.exe$" and FileName matches regex "[0-9]{1,5}")
  or ProcessCommandLine has "accepteula"

Required Data Sources

Sentinel Table	Notes
`AlertEvidence`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/Distribution from remote location.yaml)

False Positive Guidance

Scenario: Legitimate use of PsExec for administrative tasks
Filter/Exclusion: process.name != "PsExec.exe" OR process.parent_process != "explorer.exe" OR process.user != "admin_user"
Scenario: Scheduled job that uses PSEXESVC.exe for remote service management
Filter/Exclusion: process.name != "PSEXESVC.exe" OR process.parent_process != "task scheduler" OR process.user == "svc_account"
Scenario: System update or patching using tools like PsExec for remote deployment
Filter/Exclusion: process.name != "PsExec.exe" OR process.parent_process != "Windows Update" OR process.user == "domain_admin"
Scenario: IT team using Empire or Cobalt Strike for red team exercises
Filter/Exclusion: process.name != "Empire.exe" OR process.name != "CobaltStrike.exe" OR process.user == "red_team_user"
Scenario: Remote desktop session using PsExec to execute commands on a remote machine
Filter/Exclusion: process.name != "PsExec.exe" OR process.parent_process == "mstsc.exe" OR process.user == "rdp_user"