PsExec Detection

Description

PsExec is a Microsoft Sysinternals utility that system administrators often run remote commands over. However, PsExec (and the Metasploit module of the same name) can also be exploited by attackers to compromise Windows machines through running commands and launching processes without needing specific software installed on the targeted machine. This bundle detects both legitimate and malicious PsExec usage.

Microsoft's PsExec tool connects to a hidden share through SMB, then uploads and runs a Windows service called psexesvc, before finally creating a pipe on the remote system. The pipe enables commands to be sent and output to be redirected back to the machine running PsExec.

Metasploit's PSExec module works in a similar way, but instead of the psexesvc service, it creates a randomly named service that contains code to establish a custom shell on the target.

The included dashboard displays devices running PsExec, targeted remote machines, the name of the service loaded on each remote machine, and commands run on the machines.

Bundle Contents

• (1) Trigger
  • PsExec Detection
• (1) Dashboard
  • PsExec Detection
• (2) Dynamic Groups
  • CIFS Clients
  • CIFS Servers
• (1) Record Format
  • smbPsExec
• (1) Record Query
  • SMB-PsExec Record

Requirements

Installation Instructions

1. Download the bundle on this page
2. Log into the ExtraHop Web UI and complete the following procedures
   • Upload and apply a bundle - When applying the bundle, check the Apply included assignments checkbox.
   • Enable the PsExec Detection trigger.