PSEXE service found on user's workstation

Found the following service (psexe) running on a user's workstation. I understand that it is part of a suite of tools that some admins will use to help support an environment it is also a tool that can be used for malicious purposes. Are there any known applications that use this service?

e.g. Spiceworks, PRTG, Solarwinds, Adobe Creative Suite, SQL, etc.
dowhatyoudo22Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
I doubt very much that any software would use psexec as a helper because it will only be of any benefit if used remotely. And if such a software would like to do anything remotely, they would program an agent to be distributed on the remote system and not use psexec.

You should list all services on all systems, maybe use a startup script like this:
net start |findstr /I psexec && echo psexec present >\\server\share\%computername%.txt

to realize if only one system has this, or many.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
I also think likewise, this tool is unlikely bundled together with those admin toolkits. Rather it is PsExec that potentially is running them if need to as sometimes, most may rely more on runas that come with OS to execute. But the latter is more "inconvenient" and not as flexible or powerful with more parameter to use within that single tool. Such as PsExec offers a -h option, which runs the specified executable on the remote system using the account's elevated token (if possible).

There is a "PSExec module" (or should I say modified version of PsExec included in the Metasploit Framework. Also trails of PsExec may be possible to sieve out as if it is malicious intent, they may modified the filename, binary etc to evade the baseline detection or scanning.. can try look at prefetch files for odd names, or even the actual name..., SMB enable and ADMIN$ exposed (like the metasploit article shared)etc

but more have heard about powershell but using it may be the true admin expert as compared to novice whom may still the PsExec commandline (running bat). it was in past AV may detect PsExec as remote admin trojan but that is not true in the long run, so I still believe it comes as itself and used as itself by users and admin. However, that does not stop other to better PsExec though having the same goal but claimed to be re-implemented with added "capability" over PSexec limitations. One such tool is PAExec. It stated it will scramble
the parameters to protect them from casual wire sniffers, but they are not encrypted. Instead the PSexec is sending in clear.
0
McKnifeCommented:
@btan
start the cmd as domain admin on your machine, then use psexec inside - that way, no password is transmitted in clear text, unless you submit different credentials once more.
0
btanExec ConsultantCommented:
thanks McKnife :) It can indeed assume the role of current login accounts unless using the "-p" for other accounts to relogin. An instance of such shared for information. I was thinking of case if the remote "friendly" user wanted to use other account.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.