PSEXE service found on user's workstation

Posted on 2014-11-24
Last Modified: 2014-12-01
Found the following service (psexe) running on a user's workstation. I understand that it is part of a suite of tools that some admins will use to help support an environment it is also a tool that can be used for malicious purposes. Are there any known applications that use this service?

e.g. Spiceworks, PRTG, Solarwinds, Adobe Creative Suite, SQL, etc.
Question by:dowhatyoudo22
  • 2
  • 2
LVL 54

Accepted Solution

McKnife earned 250 total points
ID: 40462905
I doubt very much that any software would use psexec as a helper because it will only be of any benefit if used remotely. And if such a software would like to do anything remotely, they would program an agent to be distributed on the remote system and not use psexec.

You should list all services on all systems, maybe use a startup script like this:
net start |findstr /I psexec && echo psexec present >\\server\share\%computername%.txt

to realize if only one system has this, or many.
LVL 63

Assisted Solution

btan earned 250 total points
ID: 40466852
I also think likewise, this tool is unlikely bundled together with those admin toolkits. Rather it is PsExec that potentially is running them if need to as sometimes, most may rely more on runas that come with OS to execute. But the latter is more "inconvenient" and not as flexible or powerful with more parameter to use within that single tool. Such as PsExec offers a -h option, which runs the specified executable on the remote system using the account's elevated token (if possible).

There is a "PSExec module" (or should I say modified version of PsExec included in the Metasploit Framework. Also trails of PsExec may be possible to sieve out as if it is malicious intent, they may modified the filename, binary etc to evade the baseline detection or scanning.. can try look at prefetch files for odd names, or even the actual name..., SMB enable and ADMIN$ exposed (like the metasploit article shared)etc

but more have heard about powershell but using it may be the true admin expert as compared to novice whom may still the PsExec commandline (running bat). it was in past AV may detect PsExec as remote admin trojan but that is not true in the long run, so I still believe it comes as itself and used as itself by users and admin. However, that does not stop other to better PsExec though having the same goal but claimed to be re-implemented with added "capability" over PSexec limitations. One such tool is PAExec. It stated it will scramble
the parameters to protect them from casual wire sniffers, but they are not encrypted. Instead the PSexec is sending in clear.
LVL 54

Expert Comment

ID: 40466939
start the cmd as domain admin on your machine, then use psexec inside - that way, no password is transmitted in clear text, unless you submit different credentials once more.
LVL 63

Expert Comment

ID: 40468120
thanks McKnife :) It can indeed assume the role of current login accounts unless using the "-p" for other accounts to relogin. An instance of such shared for information. I was thinking of case if the remote "friendly" user wanted to use other account.

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question