Home page logo

metasploit logo Metasploit mailing list archives

windows/smb/psexec is getting detected
From: Mark <maark86 () gmail com>
Date: Mon, 17 May 2010 02:49:30 -0700

I can confirm that the most recent windows/smb/psexec exploit gets detected
by Symantec Endpoint Protection. It seems that Symantec isn't detecting the
msf-generated executable, which is well randomized. Maybe the psexec
exploitation process is heuristically easy to detect? I'm really not sure
what could be setting it off, but I am a big fan of the psexec exploit and I
would hate to see it lose it's "excellent" rating...

Here's a log of the detection, on the console side:

[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \aXecRCwF.exe...
[*] Exploit completed, but no session was created.

On the victim side, it pops up an AV warning for "Backdoor.Trojan" or
something like that, with the executable's random filename. We're using
Symantec Endpoint Protection v.11.0.5xxx.xxx and it's at r25 right now.
Depending on endpoint protection for network security is really weak, but
this detection could ruin my chances of convincing anyone to that end! I can
provide a working copy of our Symantec setup if it would be helpful. Any
help would be greatly appreciated!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]