{"id":4520,"date":"2017-12-25T13:48:37","date_gmt":"2017-12-25T13:48:37","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4520"},"modified":"2018-07-19T00:23:14","modified_gmt":"2018-07-19T00:23:14","slug":"psexec-going-places","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/12\/25\/psexec-going-places\/","title":{"rendered":"PsExec going places…"},"content":{"rendered":"

Update 2018-07-19<\/strong><\/p>\n

Today I came across an old post from @mbromileyDFIR<\/a> who wrote about it<\/a> in 2016 so adding link as it’s a good article explaining forensic artifacts associated with running psexec<\/p>\n

Old Post<\/strong><\/p>\n

As a threat hunter you surely know that PSEXESVC.EXE is one of these nice signature-friendly artifacts that you will want to catch with your process\/service creation rules. It’s one of the easiest way to spot the lateral movement.<\/p>\n

Unfortunately, there is a catch.<\/p>\n

You see, for a number of years now<\/a> the psexec has that nice command line argument ‘-r’ that allows you to create a service name as per your liking; this affects the artifacts it creates on the remote system.<\/p>\n

You can test it by running the following command:<\/p>\n

PsExec.exe -r foobar \\\\localhost cmd.exe<\/pre>\n
The tool will drop c:\\WINDOWS\\foobar.exe and will start the service called ‘foobar’:<\/p>\n
\"\"<\/a><\/p>\n
The flag will cause the named pipes used by Psexec (-stdin, -stdout and -stderr) to be renamed as well (I forgot to mention it in the original post, thx to @spinning_monkey<\/a> for reminding me).<\/p>\n
I guess the original idea behind the introduction of this flag was to allow multiple psexec versions (or instances) to co-exist on the remote system, but the side-effect is that you can’t detect psexec being present by relying on just a service \/ file name only.<\/p>\n","protected":false},"excerpt":{"rendered":"
Update 2018-07-19 Today I came across an old post from @mbromileyDFIR who wrote about it in 2016 so adding link as it’s a good article explaining forensic artifacts associated with running psexec Old Post As a threat hunter you surely … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,15,19,46],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4520"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4520"}],"version-history":[{"count":9,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4520\/revisions"}],"predecessor-version":[{"id":5158,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4520\/revisions\/5158"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}