Evidence of Compromise - Metasploit's PSEXEC

Was messing with the Windows service binaries in Metasploit today and I noticed something unique I hadn’t noticed before. For the PSEXEC module, the service name (actually just the display name, ‘service name’ is random) always started with an uppercase ‘M’.

Curious to why that was I looked and found Line 246 of the PSEXEC module to be the culprit:

I can guess why the M is there. Might be just a quirk with old Windows versions that didn’t allow lowercase service names, not sure. Lets change it a bit. Looking around my XP VM I found the perfect one to emulate ;-)

So, quick edit to make it say display name = ‘System Events Notification’ (added the (s) because services can’t have the same display name) and WA LA!

A less visually detectable psexec run. However, how often do you look at your Event logs? ;-)