PsExec going places…
December 25, 2017 in Anti-Forensics, Compromise Detection, Forensic Analysis, Incident Response
Update 2018-07-19
Today I came across an old post from @mbromileyDFIR who wrote about it in 2016 so adding link as it’s a good article explaining forensic artifacts associated with running psexec
Old Post
As a threat hunter you surely know that PSEXESVC.EXE is one of these nice signature-friendly artifacts that you will want to catch with your process/service creation rules. It’s one of the easiest way to spot the lateral movement.
Unfortunately, there is a catch.
You see, for a number of years now the psexec has that nice command line argument ‘-r’ that allows you to create a service name as per your liking; this affects the artifacts it creates on the remote system.
You can test it by running the following command:
PsExec.exe -r foobar \\localhost cmd.exe
The tool will drop c:\WINDOWS\foobar.exe and will start the service called ‘foobar’:
The flag will cause the named pipes used by Psexec (-stdin, -stdout and -stderr) to be renamed as well (I forgot to mention it in the original post, thx to @spinning_monkey for reminding me).
I guess the original idea behind the introduction of this flag was to allow multiple psexec versions (or instances) to co-exist on the remote system, but the side-effect is that you can’t detect psexec being present by relying on just a service / file name only.
Comments are closed.