Solved

PSEXE service found on user's workstation

Posted on 2014-11-24
4
426 Views
Last Modified: 2014-12-01
Found the following service (psexe) running on a user's workstation. I understand that it is part of a suite of tools that some admins will use to help support an environment it is also a tool that can be used for malicious purposes. Are there any known applications that use this service?

e.g. Spiceworks, PRTG, Solarwinds, Adobe Creative Suite, SQL, etc.
0
Comment
Question by:dowhatyoudo22
  • 2
  • 2
4 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 40462905
I doubt very much that any software would use psexec as a helper because it will only be of any benefit if used remotely. And if such a software would like to do anything remotely, they would program an agent to be distributed on the remote system and not use psexec.

You should list all services on all systems, maybe use a startup script like this:
net start |findstr /I psexec && echo psexec present >\\server\share\%computername%.txt

to realize if only one system has this, or many.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 40466852
I also think likewise, this tool is unlikely bundled together with those admin toolkits. Rather it is PsExec that potentially is running them if need to as sometimes, most may rely more on runas that come with OS to execute. But the latter is more "inconvenient" and not as flexible or powerful with more parameter to use within that single tool. Such as PsExec offers a -h option, which runs the specified executable on the remote system using the account's elevated token (if possible).

There is a "PSExec module" (or should I say modified version of PsExec included in the Metasploit Framework. Also trails of PsExec may be possible to sieve out as if it is malicious intent, they may modified the filename, binary etc to evade the baseline detection or scanning.. can try look at prefetch files for odd names, or even the actual name..., SMB enable and ADMIN$ exposed (like the metasploit article shared)etc

but more have heard about powershell but using it may be the true admin expert as compared to novice whom may still the PsExec commandline (running bat). it was in past AV may detect PsExec as remote admin trojan but that is not true in the long run, so I still believe it comes as itself and used as itself by users and admin. However, that does not stop other to better PsExec though having the same goal but claimed to be re-implemented with added "capability" over PSexec limitations. One such tool is PAExec. It stated it will scramble
the parameters to protect them from casual wire sniffers, but they are not encrypted. Instead the PSexec is sending in clear.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40466939
@btan
start the cmd as domain admin on your machine, then use psexec inside - that way, no password is transmitted in clear text, unless you submit different credentials once more.
0
 
LVL 62

Expert Comment

by:btan
ID: 40468120
thanks McKnife :) It can indeed assume the role of current login accounts unless using the "-p" for other accounts to relogin. An instance of such shared for information. I was thinking of case if the remote "friendly" user wanted to use other account.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Read about achieving the basic levels of HRIS security in the workplace.
This is a video describing the growing solar energy use in Utah. This is a topic that greatly interests me and so I decided to produce a video about it.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now