Plugin Spotlight: Detecting PsExec
I was recently talking to my good friend Ed Skoudis about computer security incident response. An interesting question he asks organizations that are in "incident response" mode is, "Do you run PsExec?" PsExec is part of the Windows Sysinternals’ suite of tools and implements a service that allows users to administer Windows systems remotely using the command line. More information can be found on the PsExec download page. It also contains functionality described as:
"PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like ipconfig that otherwise do not have the ability to show information about remote systems."
This tool may be really useful for Windows systems administrators. However, it is also a tool used by attackers to control and maintain unauthorized access to compromised systems in a domain. A response Ed often gets to his question is "what is PsExec?", making it fairly obvious that it is not in use in the environment by legitimate system administrators. This means that any system running the PsExec service could be controlled by an attacker since the tool is not included with a default Windows installation.
If you are interested in auditing your network for the presence of PsExec, you can check out Nessus plugin ID 53916, "PsExec Service Installed". Below is a sample of the plugin output:
It does not matter whether or not the PsExec service is currently in use by an attacker since the psexec service is left running on the remote system. An attacker would have to manually clean up the service on the system to erase all traces that PsExec was used. It should be noted that this plugin does require credentials on the remote host. Run it against your environment and you might be surprised just how many hosts have been using PsExec.
Enterprise Monitoring
Tenable has produced a dashboard template that can be used with Security Center 4.2 (soon to be released). The dashboard lists 10 different LAN assets and charts the percentage of systems in each that is running PsExec. PsExec's presence in daily scan results is also charted for the past 25 days.
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
- Nessus
- SecurityCenter