PsExec can be a very useful tool during incident response and live forensics work. For those that don’t know, PsExec is a tool that can be used to execute commands on a remote Windows computer andwas initially developed by Sysinternals, which is now owned by Microsoft (additional details can be found on PsExec’s webpage).
However, it seems that PsExec has one significant shortfall – when utilizing the tool one must provide administrator-level credentials for the remote PC. These credentials are passed in the clear to the remote workstation (thus exposing the credentials to anyone who happens to be “listening in”). Thankfully, there is a workaround that can prevent this exposure from occurring, which involves connecting to the $IPC share on the target workstation first (with the admin credentials), prior to executing PsExec.
To find out more, check out an excellent write up on this issue and the workaround found on SANS Computer Forensics blog titled Protecting Admin Passwords During Remote Response and Forensics.
Leave a Reply