So this is a bit of a weird one, and more of an experimental idea than something I actually use in production. A friend of mine is using my PSexec monitoring script. He just has a couple of issue with that; he’s running an application that actively uses psexec to create some elevation. That’s quite annoying because he lost the ability to monitor weird behavior for that client.

To solve that, this is an alternative monitoring script that monitors any SYSTEM running application that does not have the session ID 0. Session ID 0 is normally only used for services, and things that are supposed to be running as SYSTEM. When you have an application running under any other session ID it means it has used an interactive logon; such as psexec stimulates or other remote execution tools.

Some applications might run as an interactive session, on my machine for example the Realtek audio suite does, you’ll need to exclude those processes.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

$ExcludedList = "RtkAuduService64","Winlogon","SomeRMMApp"

$StrangeProcesses = get-process -IncludeUserName | Where-Object {$_.username -like "\*SYSTEM" -and $_.SessionId -ne 0 -and $\_.ProcessName -notin $ExcludedList}

if($StrangeProcesses){
Write-Host "Processes found running as system inside an interactive session. Please investigate"
$StrangeProcesses
} else {
write-host "Healthy. No processes found."
}

So with this, you’ll have a potential early warning system that is able to monitor weird execution in your environment. I’ve tested this with several tricks to self elevate and it was able to catch them early. 🙂

As always, Happy PowerShelling 🙂