Key Components and Their Roles

PsExec:

• Purpose: Enables the agent to perform remote machine scans by facilitating communication with target devices.
• When Needed: PsExec is only required for remote scans. If the agent is scanning its own host (local machine), PsExec is not utilized.

SDelete and SDelete64:

• Purpose: Securely deletes files identified during data scans as containing sensitive information.
• How It Works: These tools ensure that flagged files are irretrievably removed to mitigate risks of data exposure.
• When Needed: Only used when performing data scans and sensitive data deletion is required.

Common Concerns

Security Risks of PsExec and SDelete:
These tools are industry-recognized for their effectiveness in scanning and remediation but are also known to be abused in other contexts. CYRISMA employs these tools responsibly within the scope of its scanning operations.

When They Are Not Required:

• PsExec is unnecessary if scanning is limited to the local host.
• SDelete and SDelete64 are not used unless a data scan is configured to flag and delete sensitive files.

Recommendations and Best Practices

• Compensating Controls:
  • Restrict the use of PsExec and SDelete based on your organization’s security policies.
  • Limit agent deployment to roles where these tools are essential.
• Tailored Deployment:
  • If these tools raise concerns, consider restricting the scanning functionality or excluding data scans requiring sensitive file deletion.