Evidence of Compromise - Metasploit's PSEXEC
Monday, June 25, 2012 at 2:27PM Was messing with the Windows service binaries in Metasploit today and I noticed something unique I hadn't noticed before. For the PSEXEC module, the service name (actually just the display name, 'service name' is random) always started with an uppercase 'M'.
Curious to why that was I looked and found Line 246 of the PSEXEC module to be the culprit:
I can guess why the M is there. Might be just a quirk with old Windows versions that didn't allow lowercase service names, not sure. Lets change it a bit. Looking around my XP VM I found the perfect one to emulate ;-)
So, quick edit to make it say display name = 'System Events Notification' (added the (s) because services can't have the same display name) and WA LA!
A less visually detectable psexec run. However, how often do you look at your Event logs? ;-)
incident response, psexec, user education
Reader Comments (3)
randomness-- ?
Nice work. It would have fooled me.
There should be some sort of Splunk alert mechanism that looks for non-standard service names.
P.S. Minor detail where you said "So, quick edit to make it say display name = 'Service Events Notification'" I think it's supposed to be "System Events Notification" as per the screenshot.