Plugin Spotlight: Detecting PsExec
I was recently talking to my good friend Ed Skoudis about computer security incident response. An interesting question he asks organizations that are in "incident response" mode is, "Do you run PsExec?" PsExec is part of the Windows Sysinternals’ suite of tools and implements a service that allows users to administer Windows systems remotely using the command line. More information can be found on the PsExec download page. It also contains functionality described as:
"PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like ipconfig that otherwise do not have the ability to show information about remote systems."
This tool may be really useful for Windows systems administrators. However, it is also a tool used by attackers to control and maintain unauthorized access to compromised systems in a domain. A response Ed often gets to his question is "what is PsExec?", making it fairly obvious that it is not in use in the environment by legitimate system administrators. This means that any system running the PsExec service could be controlled by an attacker since the tool is not included with a default Windows installation.
If you are interested in auditing your network for the presence of PsExec, you can check out Nessus plugin ID 53916, "PsExec Service Installed". Below is a sample of the plugin output:
It does not matter whether or not the PsExec service is currently in use by an attacker since the psexec service is left running on the remote system. An attacker would have to manually clean up the service on the system to erase all traces that PsExec was used. It should be noted that this plugin does require credentials on the remote host. Run it against your environment and you might be surprised just how many hosts have been using PsExec.
Enterprise Monitoring
Tenable has produced a dashboard template that can be used with Security Center 4.2 (soon to be released). The dashboard lists 10 different LAN assets and charts the percentage of systems in each that is running PsExec. PsExec's presence in daily scan results is also charted for the past 25 days.
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Nessus
- SecurityCenter