Plugin Spotlight: Detecting PsExec
I was recently talking to my good friend Ed Skoudis about computer security incident response. An interesting question he asks organizations that are in "incident response" mode is, "Do you run PsExec?" PsExec is part of the Windows Sysinternals’ suite of tools and implements a service that allows users to administer Windows systems remotely using the command line. More information can be found on the PsExec download page. It also contains functionality described as:
"PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like ipconfig that otherwise do not have the ability to show information about remote systems."
This tool may be really useful for Windows systems administrators. However, it is also a tool used by attackers to control and maintain unauthorized access to compromised systems in a domain. A response Ed often gets to his question is "what is PsExec?", making it fairly obvious that it is not in use in the environment by legitimate system administrators. This means that any system running the PsExec service could be controlled by an attacker since the tool is not included with a default Windows installation.
If you are interested in auditing your network for the presence of PsExec, you can check out Nessus plugin ID 53916, "PsExec Service Installed". Below is a sample of the plugin output:
It does not matter whether or not the PsExec service is currently in use by an attacker since the psexec service is left running on the remote system. An attacker would have to manually clean up the service on the system to erase all traces that PsExec was used. It should be noted that this plugin does require credentials on the remote host. Run it against your environment and you might be surprised just how many hosts have been using PsExec.
Tenable has produced a dashboard template that can be used with Security Center 4.2 (soon to be released). The dashboard lists 10 different LAN assets and charts the percentage of systems in each that is running PsExec. PsExec's presence in daily scan results is also charted for the past 25 days.