Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 558
  • Last Modified:

PSEXE service found on user's workstation

Found the following service (psexe) running on a user's workstation. I understand that it is part of a suite of tools that some admins will use to help support an environment it is also a tool that can be used for malicious purposes. Are there any known applications that use this service?

e.g. Spiceworks, PRTG, Solarwinds, Adobe Creative Suite, SQL, etc.
0
dowhatyoudo22
Asked:
dowhatyoudo22
  • 2
  • 2
2 Solutions
 
McKnifeCommented:
I doubt very much that any software would use psexec as a helper because it will only be of any benefit if used remotely. And if such a software would like to do anything remotely, they would program an agent to be distributed on the remote system and not use psexec.

You should list all services on all systems, maybe use a startup script like this:
net start |findstr /I psexec && echo psexec present >\\server\share\%computername%.txt

to realize if only one system has this, or many.
0
 
btanExec ConsultantCommented:
I also think likewise, this tool is unlikely bundled together with those admin toolkits. Rather it is PsExec that potentially is running them if need to as sometimes, most may rely more on runas that come with OS to execute. But the latter is more "inconvenient" and not as flexible or powerful with more parameter to use within that single tool. Such as PsExec offers a -h option, which runs the specified executable on the remote system using the account's elevated token (if possible).

There is a "PSExec module" (or should I say modified version of PsExec included in the Metasploit Framework. Also trails of PsExec may be possible to sieve out as if it is malicious intent, they may modified the filename, binary etc to evade the baseline detection or scanning.. can try look at prefetch files for odd names, or even the actual name..., SMB enable and ADMIN$ exposed (like the metasploit article shared)etc

but more have heard about powershell but using it may be the true admin expert as compared to novice whom may still the PsExec commandline (running bat). it was in past AV may detect PsExec as remote admin trojan but that is not true in the long run, so I still believe it comes as itself and used as itself by users and admin. However, that does not stop other to better PsExec though having the same goal but claimed to be re-implemented with added "capability" over PSexec limitations. One such tool is PAExec. It stated it will scramble
the parameters to protect them from casual wire sniffers, but they are not encrypted. Instead the PSexec is sending in clear.
0
 
McKnifeCommented:
@btan
start the cmd as domain admin on your machine, then use psexec inside - that way, no password is transmitted in clear text, unless you submit different credentials once more.
0
 
btanExec ConsultantCommented:
thanks McKnife :) It can indeed assume the role of current login accounts unless using the "-p" for other accounts to relogin. An instance of such shared for information. I was thinking of case if the remote "friendly" user wanted to use other account.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now