Solved

PSEXE service found on user's workstation

Posted on 2014-11-24
4
466 Views
Last Modified: 2014-12-01
Found the following service (psexe) running on a user's workstation. I understand that it is part of a suite of tools that some admins will use to help support an environment it is also a tool that can be used for malicious purposes. Are there any known applications that use this service?

e.g. Spiceworks, PRTG, Solarwinds, Adobe Creative Suite, SQL, etc.
0
Comment
Question by:dowhatyoudo22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 55

Accepted Solution

by:
McKnife earned 250 total points
ID: 40462905
I doubt very much that any software would use psexec as a helper because it will only be of any benefit if used remotely. And if such a software would like to do anything remotely, they would program an agent to be distributed on the remote system and not use psexec.

You should list all services on all systems, maybe use a startup script like this:
net start |findstr /I psexec && echo psexec present >\\server\share\%computername%.txt

to realize if only one system has this, or many.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 40466852
I also think likewise, this tool is unlikely bundled together with those admin toolkits. Rather it is PsExec that potentially is running them if need to as sometimes, most may rely more on runas that come with OS to execute. But the latter is more "inconvenient" and not as flexible or powerful with more parameter to use within that single tool. Such as PsExec offers a -h option, which runs the specified executable on the remote system using the account's elevated token (if possible).

There is a "PSExec module" (or should I say modified version of PsExec included in the Metasploit Framework. Also trails of PsExec may be possible to sieve out as if it is malicious intent, they may modified the filename, binary etc to evade the baseline detection or scanning.. can try look at prefetch files for odd names, or even the actual name..., SMB enable and ADMIN$ exposed (like the metasploit article shared)etc

but more have heard about powershell but using it may be the true admin expert as compared to novice whom may still the PsExec commandline (running bat). it was in past AV may detect PsExec as remote admin trojan but that is not true in the long run, so I still believe it comes as itself and used as itself by users and admin. However, that does not stop other to better PsExec though having the same goal but claimed to be re-implemented with added "capability" over PSexec limitations. One such tool is PAExec. It stated it will scramble
the parameters to protect them from casual wire sniffers, but they are not encrypted. Instead the PSexec is sending in clear.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40466939
@btan
start the cmd as domain admin on your machine, then use psexec inside - that way, no password is transmitted in clear text, unless you submit different credentials once more.
0
 
LVL 64

Expert Comment

by:btan
ID: 40468120
thanks McKnife :) It can indeed assume the role of current login accounts unless using the "-p" for other accounts to relogin. An instance of such shared for information. I was thinking of case if the remote "friendly" user wanted to use other account.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question