PsExec going places…

December 25, 2017 in Anti-Forensics, Compromise Detection, Forensic Analysis, Incident Response

Update 2018-07-19

Today I came across an old post from @mbromileyDFIR who wrote about it in 2016 so adding link as it’s a good article explaining forensic artifacts associated with running psexec

Old Post

As a threat hunter you surely know that PSEXESVC.EXE is one of these nice signature-friendly artifacts that you will want to catch with your process/service creation rules. It’s one of the easiest way to spot the lateral movement.

Unfortunately, there is a catch.

You see, for a number of years now the psexec has that nice command line argument ‘-r’ that allows you to create a service name as per your liking; this affects the artifacts it creates on the remote system.

You can test it by running the following command:

PsExec.exe -r foobar \\localhost cmd.exe

The tool will drop c:\WINDOWS\foobar.exe and will start the service called ‘foobar’:

The flag will cause the named pipes used by Psexec (-stdin, -stdout and -stderr) to be renamed as well (I forgot to mention it in the original post, thx to @spinning_monkey for reminding me).

I guess the original idea behind the introduction of this flag was to allow multiple psexec versions (or instances) to co-exist on the remote system, but the side-effect is that you can’t detect psexec being present by relying on just a service / file name only.

Comments are closed.