Skip to content

Have there been any executions of PsExeSrv?

ID: Q1037

Description: PsExec is a command-line tool that allows you to execute commands on remote computers. It is part of the Sysinternals suite of tools, which are a collection of free and open-source utilities for Windows system administration. It works by establishing a remote connection to the target computer and then executing the specified command. In order to do this, it copies an executable to the target system and installs a service to run that executable.

Approaches to Answer

Approaches

Note

There are often multiple ways to approach answering a question. This section explains the approaches considered, how they work, and any benefits or drawbacks to each. All these approaches have different pros and cons. They can be used individually or in conjunction.

Examine Windows Prefetch for evidence of PsExeSvc

🗂️ Explanation

Windows Prefetch files are designed to speed up application start times. To do this, they store information about recently launched applications, including the file name of the executable and the number of times it has been run.

References

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

  • Executions of PsExeSvc on Windows systems with Prefetch enabled.

Not Covered

  • Systems where the Prefetch service has been disabled.
  • There is a maximum number of .pf allowed by Windows (the number varies by Windows version). If too many other Prefetch files were created, the PsExec Prefetch file may have been deleted, and thus will not be parsed.
  • Instances when the PsExeSvc executable has been renamed.
  • Non-Windows systems, as the Prefetch service is Windows-only.

💾 Data

The following data source(s) are needed for this approach to the question.

Description
Files used by the Windows Prefetch service.
Type
ForensicArtifact
Value
WindowsPrefetchFiles (view on GitHub)

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

More information on Plaso.

Recommended options:

 --parsers prefetch

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Plaso's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

OpenSearch

  1. Filter the results to just Prefetch files for psexesvc.exe

  2. OpenSearch query:

    data_type:"windows:prefetch:execution" AND executable:psexesvc\.exe

Examine Windows Event Logs for PsExeSvc executions

🗂️ Explanation

Windows systems can be set to log new process creation events to the Security event log. The logs contain the new process name, process ID, parent process name, process creation time, and many more useful fields.

References

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

  • Executions of PsExeSvc on Windows systems with logging enabled.

Not Covered

  • Many factors can impact log retention; if the event log containing the relevant event has been deleted, it won't be found by this approach.
  • Instances when the PsExeSvc executable has been renamed.

💾 Data

The following data source(s) are needed for this approach to the question.

Description
Windows Event Log files
Type
ForensicArtifact
Value
WindowsEventLogs (view on GitHub)

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

More information on Plaso.

Recommended options:

 --parsers winevtx

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Plaso's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

OpenSearch

  1. Filter the results to Process Creation events containing "psexesvc.exe"

  2. OpenSearch query:

    data_type:"windows:evtx:record" event_identifier:4688 source_name:Microsoft-Windows-Security-Auditing xml_string:"psexesvc.exe"

Examine Windows Event Logs for PsExeSvc Service Installations

🗂️ Explanation

Windows systems can be set to log new service installations to the System event log. The logs contain the new service name, service file name, and more. When used to access a remote system, PsExec installs a service (by default named PSEXESVC) on the target system.

References

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

  • Installations of the PsExeSvc Service on Windows systems with logging enabled.

Not Covered

  • Many factors can impact log retention; if the event log containing the relevant event has been deleted, it won't be found by this approach.
  • Instances when the PsExeSvc service has been renamed.

💾 Data

The following data source(s) are needed for this approach to the question.

Description
Windows Event Log files
Type
ForensicArtifact
Value
WindowsEventLogs (view on GitHub)

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

More information on Plaso.

Recommended options:

 --parsers winevtx

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Plaso's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

OpenSearch

  1. Filter the results to Service Install events for PSEXESVC

  2. OpenSearch query:

    data_type:"windows:evtx:record" event_identifier:7045 source_name:"Service Control Manager" xml_string:"Name=\"ServiceName\">PSEXESVC"