Evidence of Compromise: Metasploit's PSEXEC

Sunday, July 15, 2012

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

I was messing with the Windows service binaries in Metasploit and I noticed something unique I hadn't noticed before.

For the PSEXEC module, the service name (actually just the display name, 'service name' is random) always started with an uppercase 'M'.

Screen Shot 2012 06 25 at 2 05 40 PM

Curious to why that was I looked and found Line 246 of the PSEXEC module to be the culprit:

Screen Shot 2012 06 25 at 2 07 01 PM

I can guess why the M is there. Might be just a quirk with old Windows versions that didn't allow lowercase service names, not sure. Lets change it a bit. Looking around my XP VM I found the perfect one to emulate ;-)

Screen Shot 2012 06 25 at 2 12 07 PM

So, quick edit to make it say display name = 'Service Events Notification' (added the (s) because services can't have the same display name) and WA LA!

Screen Shot 2012 06 25 at 2 12 19 PM

A less visually detectable psexec run. However, how often do you look at your Event logs?

Cross-posted from Room362

Possibly Related Articles:
12833
Network->General
Information Security
Windows Tools Penetration Testing Metasploit Event Logging Network Security Intrusion Detection SysAdmin PSEXEC
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.