Evidence of Compromise - Metasploit's PSEXEC


Was messing with the Windows service binaries in Metasploit today and I noticed something unique I hadn’t noticed before. For the PSEXEC module, the service name (actually just the display name, ‘service name’ is random) always started with an uppercase ‘M’.


Curious to why that was I looked and found Line 246 of the PSEXEC module to be the culprit:


I can guess why the M is there. Might be just a quirk with old Windows versions that didn’t allow lowercase service names, not sure. Lets change it a bit. Looking around my XP VM I found the perfect one to emulate ;-)


So, quick edit to make it say display name = ‘System Events Notification’ (added the (s) because services can’t have the same display name) and WA LA!


A less visually detectable psexec run. However, how often do you look at your Event logs? ;-)