mailing list archives
Re: windows/smb/psexec getting detected
From: Ron <ron () skullsecurity net>
Date: Mon, 17 May 2010 07:29:10 -0500
On Mon, 17 May 2010 02:54:22 -0700 Mark <maark86 () gmail com> wrote:
Sorry to send two emails, but until this gets worked out, is there
anything I can do for an interim fix? Maybe something using irb? I
could probably get away with just using the core psexec /
pass-the-hash functionality to exploit remotely, is that easy to do?
I realize this is shameless self promotion, but you can use Nmap's smb-psexec.nse script (that I wrote). But, if it's a
heuristic detection, you might be outta luck -- it's pretty easy to detect psexec heuristically, I suspect.
Are you sure it isn't just the payload getting detected, though? The actual psexec simply logs into the machine,
uploads the payload, and creates a service pointing to the payload. Not a lot going on.