looking a BIG FIX report run for the enterprise to look for installations of the PsExec tool with Positive or negative for PsExec criteria please
Do you have BigFix Inventory? That should be detecting it.
No Jason, can we do this by analysis
You’d need to take an Action to get a directory listing, searching for psexec.exe. Save the resulting file list in a text file, and use an Analysis to read the results list.
This is very similar to the Solarwinds detections, Method 2, described at DHS Emergency Directive 21-01 - Sunburst - SolarWinds thread that you can use as a good reference.
Since psexec checks to see if EULA has been accepted at startup, one way is to query the reg where acceptance is stored:
(exists value “EulaAccepted” whose (“1” = it as integer as hexadecimal) of keys “Software\Sysinternals\PsExec” of keys of keys “HKEY_USERS” of (X64 registries; x32 registries))
3 Likes
A great way to see if PSexec has potentially been run though doesn’t necessarily indicate the executable still exists or where. With some Sysinternals tools we have run them via an action and passed the /accepteula argument which would then create that reg data though the actual exe would be purged after running so the reg still exists but the file is no longer on the system.