Monitoring with PowerShell: Monitoring interactive system execution

So this is a bit of a weird one, and more of an experimental idea than something I actually use in production. A friend of mine is using my PSexec monitoring script. He just has a couple of issue with that; he’s running an application that actively uses psexec to create some elevation. That’s quite annoying because he lost the ability to monitor weird behavior for that client.

To solve that, this is an alternative monitoring script that monitors any SYSTEM running application that does not have the session ID 0. Session ID 0 is normally only used for services, and things that are supposed to be running as SYSTEM. When you have an application running under any other session ID it means it has used an interactive logon; such as psexec stimulates or other remote execution tools.

Some applications might run as an interactive session, on my machine for example the Realtek audio suite does, you’ll need to exclude those processes.

$ExcludedList = "RtkAuduService64","Winlogon","SomeRMMApp"

$StrangeProcesses = get-process -IncludeUserName | Where-Object {$_.username -like "*SYSTEM" -and $_.SessionId -ne 0 -and $_.ProcessName -notin $ExcludedList}

if($StrangeProcesses){
    Write-Host "Processes found running as system inside an interactive session. Please investigate"
    $StrangeProcesses
} else {
    write-host "Healthy. No processes found."
}

So with this, you’ll have a potential early warning system that is able to monitor weird execution in your environment. I’ve tested this with several tricks to self elevate and it was able to catch them early. ๐Ÿ™‚

As always, Happy PowerShelling ๐Ÿ™‚

1 Comment

  1. Olivier September 1, 2021 at 4:33 pm

    As always, Interesting and useful post ๐Ÿ™‚

    Some comments :
    1) My system is running of french OS, then it’s not “System”, but “Systรจme”. Never mind, I’m correct this using *syst*”
    2) On my Personal computer, I’ve some process running with this first filter, but the SessionID = 1
    Name SessionId
    —- ———
    NVDisplay.Container 1
    rundll32 1
    winlogon 1
    This Process are legitimate, then, don’t forget to adjust the $ExcludedList var to your need.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.