WithSecure alerts regarding PAExec used by Medulla
Applies to: Medulla / WithSecure Elements
Version: All
Environment: Windows / On-Premise / SaaS
Category: Security / EDR / Remote Execution
Context
Medulla uses PAExec, an open-source equivalent of PsExec/SysInternals, to perform remote actions on managed Windows workstations:
- Application deployment
- Running scheduled scripts
- Orchestrating tasks from the application kiosk
- Remediation or maintenance actions
Important:
Any security exclusion measures (EDR, antivirus, allowlist) must be regularly reassessed to ensure they remain relevant given the context, software versions, and your security policy.
It is recommended to apply the most restrictive exclusions possible.
In Medulla, this mechanism is used in particular by the component:
scheduling_launch_kiosk.pyPAExec intentionally behaves similarly to PsExec, a legitimate tool widely used by system administrators but also known as a lateral movement vector in certain attack scenarios.
Modern EDR solutions, including WithSecure Elements, therefore monitor this type of behavior by default.
Why does WithSecure detect a file named PAExec-XXXX-workstation.exe?
PAExec operates using a temporary mechanism:
- The Medulla binary is copied to the target workstation
- A temporary copy is placed in
C:\Windows\ - This copy is executed as a temporary Windows service
- The file is automatically deleted at the end of the operation
The file name is dynamic:
C:\WINDOWS\PAExec-<PID>-<ComputerName>.exeExample:
C:\WINDOWS\PAExec-2124-CSE-SDN-ALV-02.exeThe original Medulla executable remains:
C:\Program Files\Medulla\bin\paexec.exeInformation:
The EDR primarily detects the temporary copy placed in C:\Windows\, not the original Medulla binary.
Why does PAExec run under the NT\System account?
This behavior is normal.
The PAExec execution cycle occurs in two phases:
- The Medulla binary copies itself to
C:\Windows\PAExec-*.exe - The copy is installed as a temporary Windows service
This second phase runs under:
NT AUTHORITY\SYSTEMwith the argument:
-serviceExpected behavior:
Running as SYSTEM and using the -service argument are normal in the Medulla context.
What Windows events are generated?
| ID | Log | Description | Expected |
|---|---|---|---|
7045 |
System | Installation of the temporary PAExec service | ✅ Yes |
7036 |
System | Starting the PAExec service | ✅ Yes |
5145 |
Security | Access to the Admin$ share | ✅ Yes |
5145 |
Security | Access to stdin/stdout/stderr named pipes | ✅ Yes |
4648 |
Security | Authentication with explicit credentials | ✅ Possible |
Events on named pipes:
*-stdin
*-stdout
*-stderrare closely monitored by EDR solutions because they are characteristic of PsExec/PAExec operations.
Why does WithSecure associate this with lateral movement?
WithSecure detects a set of behaviors typically associated with remote administration tools:
- Copying an executable to
C:\Windows\ - Use of the
Admin$share - Creating a temporary Windows service
- Running as
NT AUTHORITY\SYSTEM - Communication via named pipes
stdin/stdout/stderr
These behaviors are identical in the following scenarios:
- Legitimate: Medulla / system administration
- Malicious: attacker lateral movement
Important:
Exclusions must be as restrictive as possible so as not to compromise the overall security level.
Can I exclude C:\Program Files\Medulla\bin\paexec.exe?
No.
This exclusion alone is ineffective because the file detected by the EDR is the temporary copy:
C:\WINDOWS\PAExec-*.exeand not the source binary:
C:\Program Files\Medulla\bin\paexec.exeWhat exclusion is recommended in WithSecure Elements?
Option A – Exclusion by SHA256 hash (Recommended)
In WithSecure Elements Security Center:
- Go to
Profiles → Security → Application Control - Create an “Allow by hash” rule
- Enter the SHA256 hash of the PAExec Medulla binary
- Optionally, restrict to the following path:
C:\Windows\PAExec-*.exeand to the account:
NT AUTHORITY\SYSTEMRecommendation:
Exclusion by hash is the most secure method because it verifies the exact integrity of the Medulla binary.
Option B – Parent → Child Exclusion (Recommended as a supplement)
Allow PAExec-*.exe only when the parent process is the Medulla agent.
Expected parent process:
Medulla agent service (Python scheduler)This method significantly reduces the risk of abuse.
Option C – Wildcard Exclusion (Temporary)
Create a path exclusion:
C:\Windows\PAExec-*.exewith the following conditions:
Warning:
This method should only be used temporarily. It does not validate the integrity of the binary.
How do I retrieve the SHA256 hash of the PAExec binary?
From a workstation managed by Medulla:
Get-FileHash "C:\Program Files\Medulla\bin\paexec.exe" -Algorithm SHA256The hash is identical for:
C:\Program Files\Medulla\bin\paexec.exeand:
C:\WINDOWS\PAExec-*.exebecause PAExec copies itself exactly.
Does the hash change after a Medulla update?
Yes.
If PAExec is updated in a new version of Medulla, the SHA256 will change.
Recommendation:
Check the WithSecure exclusions after every major Medulla update.
Summary of Technical Details
| Item | Value |
|---|---|
| Source binary | C:\Program Files\Medulla\bin\paexec.exe |
| Detected path | C:\Windows\PAExec-<PID>-<WorkstationName>.exe |
| Mechanism | Temporary copy via Admin$ |
| Execution account | NT AUTHORITY\SYSTEM |
| Argument | -service |
| Windows Events | 7045, 7036, 5145 |
| Medulla Component | scheduling_launch_kiosk.py |
| Recommended Exclusion | SHA256 hash + execution context |
| Exclusion to avoid | C:\Program Files\Medulla\bin\paexec.exe alone |