THREAT-LateralMovement-SMBPsExec Lateral Movement via SMB and PsExec-Style Remote Execution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// THREAT: Lateral Movement via SMB/PsExec-Style Remote Execution
// Detects PsExec, PAExec, PSEXESVC service creation, and Admin share lateral movement

// Alert 1: PsExec/PAExec execution from non-standard locations
let LegitPsExecPaths = dynamic(["C:\\Tools\\", "C:\\Sysinternals\\", "C:\\Program Files\\Sysinternals"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe")
| where not(FolderPath has_any (LegitPsExecPaths))
| extend SuspiciousLocation = FolderPath has_any (
    "C:\\Users\\", "C:\\Windows\\Temp\\", "C:\\ProgramData\\",
    "AppData\\", "C:\\Temp\\", "C:\\Public\\"
  )
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
    ProcessCommandLine, InitiatingProcessFileName, SuspiciousLocation
| extend ThreatType = "LateralMovement_PsExec_SuspiciousPath"
| extend StagingRisk = 85;
// Alert 2: PSEXESVC service creation (server-side PsExec indicator)
DeviceServiceEvents
| where Timestamp > ago(24h)
| where ServiceName in~ ("PSEXESVC", "paexec", "remcom")
| project Timestamp, DeviceName, AccountName, ServiceName, ServiceState,
    InitiatingProcessFileName, InitiatingProcessCommandLine
| extend ThreatType = "LateralMovement_PSEXESVC_RemoteService"
| extend StagingRisk = 90;
// Alert 3: Admin share access from internal hosts (staging/lateral movement)
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (445, 139)
| where ActionType =~ "ConnectionSuccess"
| where RemoteIPType =~ "Private"
// Exclude expected domain controller replication and group policy traffic
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "system")
| summarize
    Connections=count(),
    TargetHosts=dcount(RemoteIP),
    TargetIPs=make_set(RemoteIP)
  by DeviceName, AccountName, InitiatingProcessFileName, bin(Timestamp, 15m)
| where Connections >= 5 or TargetHosts >= 3
| extend ThreatType = "LateralMovement_AdminShare_BulkAccess"
| extend StagingRisk = 75

high severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceServiceEvents, DeviceNetworkEvents) Sysmon Event ID 1, 3, 7 Windows Security Event Log

Required Tables

DeviceProcessEvents DeviceServiceEvents DeviceNetworkEvents

False Positives

Authorised IT administrators using PsExec from Sysinternals for remote administration from approved management workstations
Software deployment tools (SCCM, Ansible, Puppet) that use WMI or SMB for mass package deployment
Domain join and Group Policy application traffic over SMB (exclude SYSTEM and svchost.exe as initiators)
Enterprise backup agents (Veeam, Backup Exec) that access admin shares during backup jobs

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (
    EventCode=1
    (Image="*\\psexec.exe" OR Image="*\\psexec64.exe" OR Image="*\\paexec.exe" OR Image="*\\remcom.exe")
    NOT (Image="*\\Tools\\*" OR Image="*\\Sysinternals\\*" OR Image="*\\Program Files\\*")
  )
  OR
  (
    EventCode=11
    TargetFilename="*\\PSEXESVC.exe"
  )
  OR
  (
    EventCode=3
    DestinationPort IN (445, 139)
    NOT (Image="*\\svchost.exe" OR Image="*\\lsass.exe")
  )
)
| eval ThreatIndicator=case(
    match(Image, "(?i)(psexec|paexec|remcom)") AND NOT match(Image, "(?i)(Tools|Sysinternals|Program.Files)"),
    "PsExec_SuspiciousPath",
    match(TargetFilename, "(?i)PSEXESVC"), "PSEXESVC_Dropped",
    EventCode=3 AND DestinationPort IN (445, 139), "SMB_LateralMove",
    true(), "Other"
  )
| eval RiskScore=case(
    ThreatIndicator="PSEXESVC_Dropped", 90,
    ThreatIndicator="PsExec_SuspiciousPath", 85,
    ThreatIndicator="SMB_LateralMove", 70,
    true(), 50
  )
| stats count AS Events,
        values(ThreatIndicator) AS Indicators,
        values(Image) AS Processes,
        max(RiskScore) AS MaxRisk
  BY host, User, _time span=30m
| eval ThreatActors="Akira, Black Basta, LockBit"
| sort - MaxRisk

high severity high confidence

Data Sources

Sysmon via Windows Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorised PsExec from IT management workstations
SCCM/Ansible software deployment over SMB

Elastic Security (EQL)

eql

sequence by host.name with maxspan=30m
  [process where event.type == "start" and
   process.name in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe") and
   not process.executable like~ ("*\\Tools\\*", "*\\Sysinternals\\*", "*\\Program Files\\Sysinternals*")]
  [file where event.type == "creation" and
   file.name like~ "PSEXESVC.exe"]

// Alternatively, individual signal queries:
// Signal 1: PsExec from suspicious paths
process where event.type == "start" and
  process.name in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe") and
  not process.executable like~ ("*\\Tools\\*", "*\\Sysinternals\\*", "*\\Program Files\\*") and
  process.executable like~ ("*\\Users\\*", "*\\Temp\\*", "*\\ProgramData\\*", "*\\AppData\\*", "*\\Public\\*")

// Signal 2: PSEXESVC service registration
process where event.type == "start" and process.name == "PSEXESVC.exe"

// Signal 3: Bulk SMB lateral movement
network where event.type == "connection" and
  destination.port in (445, 139) and
  network.direction == "outbound" and
  not process.name in~ ("svchost.exe", "lsass.exe", "System") and
  network.type == "ipv4"

critical severity high confidence

Data Sources

Windows Sysmon via Elastic Agent Elastic Endpoint Security Windows Security Event Logs

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-* logs-system.security-*

False Positives

Legitimate IT administrators running PsExec from a local downloads or desktop folder during ad-hoc remediation tasks
Automated patch management tools (e.g., SCCM, PDQ Deploy) that stage execution binaries in ProgramData before running them
Penetration test engagements where testers deliberately drop PsExec to workstations — should be excluded by source IP or user account

IBM QRadar (AQL)

sql

-- Signal 1: PsExec/PAExec from suspicious staging paths
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Process Path" AS ProcessPath,
  QIDNAME(qid) AS EventName,
  logsourcename(logsourceid) AS LogSource,
  'LateralMovement_PsExec_SuspiciousPath' AS ThreatType,
  85 AS RiskScore
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 14)  -- Sysmon / Windows Security
  AND (
    LOWER("Process Name") LIKE '%psexec.exe'
    OR LOWER("Process Name") LIKE '%psexec64.exe'
    OR LOWER("Process Name") LIKE '%paexec.exe'
    OR LOWER("Process Name") LIKE '%remcom.exe'
  )
  AND LOWER("Process Path") NOT LIKE '%\tools\%'
  AND LOWER("Process Path") NOT LIKE '%\sysinternals\%'
  AND LOWER("Process Path") NOT LIKE '%\program files\%'
  AND (
    LOWER("Process Path") LIKE '%\users\%'
    OR LOWER("Process Path") LIKE '%\temp\%'
    OR LOWER("Process Path") LIKE '%\programdata\%'
    OR LOWER("Process Path") LIKE '%\appdata\%'
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 24 HOURS

UNION ALL

-- Signal 2: PSEXESVC service creation (Windows Event 7045)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS AccountName,
  "Service Name" AS ProcessName,
  '' AS ProcessPath,
  QIDNAME(qid) AS EventName,
  logsourcename(logsourceid) AS LogSource,
  'LateralMovement_PSEXESVC_RemoteService' AS ThreatType,
  90 AS RiskScore
FROM events
WHERE
  EventID = 7045
  AND (
    LOWER("Service Name") = 'psexesvc'
    OR LOWER("Service Name") = 'paexec'
    OR LOWER("Service Name") = 'remcom'
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 24 HOURS

critical severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Event Logs (WinCollect) Sysmon log source via QRadar DSM

Required Tables

events

False Positives

IT helpdesk staff running PsExec from their user profile Downloads folder during support tasks — exclude by known admin source IPs or accounts
Legitimate PSEXESVC service creation during authorised remote administration by domain admins — whitelist by service account username
Security tooling that uses RemCom as an open-source PsExec alternative for legitimate remote execution in managed environments

Sumo Logic CSE

sql

// Signal 1: PsExec/PAExec from suspicious locations
_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*
| where EventCode = "1" or EventCode = "4688"
| where (
    Image matches /(?i)(psexec\.exe|psexec64\.exe|paexec\.exe|remcom\.exe|csexec\.exe)$/
    or NewProcessName matches /(?i)(psexec\.exe|psexec64\.exe|paexec\.exe|remcom\.exe|csexec\.exe)$/
  )
| where !(
    Image matches /(?i)\\(tools|sysinternals|program files)/
    or NewProcessName matches /(?i)\\(tools|sysinternals|program files)/
  )
| where (
    Image matches /(?i)\\(users|temp|programdata|appdata|public)\\/
    or NewProcessName matches /(?i)\\(users|temp|programdata|appdata|public)\\/
  )
| parse field=Image "*\\*" as FolderPath, BinaryName nodrop
| parse field=NewProcessName "*\\*" as FolderPath2, BinaryName2 nodrop
| timeslice 15m
| count by _timeslice, Computer, User, Image, CommandLine
| where _count >= 1
| fields _timeslice, Computer, User, Image, CommandLine, _count
| eval ThreatType = "LateralMovement_PsExec_SuspiciousPath", RiskScore = 85
| sort - RiskScore

// Signal 2: PSEXESVC service creation
_sourceCategory=*wineventlog*system* OR _sourceCategory=*windows*sysmon*
| where EventCode = "7045" or EventCode = "4697"
| where ServiceName matches /(?i)(psexesvc|paexec|remcom)/
| timeslice 5m
| count by _timeslice, Computer, ServiceName, ServiceFileName, AccountName
| eval ThreatType = "LateralMovement_PSEXESVC_RemoteService", RiskScore = 90
| sort - RiskScore

// Signal 3: Bulk internal SMB connections
_sourceCategory=*windows*sysmon*
| where EventCode = "3"
| where DestinationPort = "445" or DestinationPort = "139"
| where !(
    Image matches /(?i)(svchost\.exe|lsass\.exe|system)/
  )
| timeslice 15m
| count as Connections, dcount(DestinationIp) as UniqueHosts by _timeslice, Computer, User, Image
| where Connections >= 5 or UniqueHosts >= 3
| eval ThreatType = "LateralMovement_AdminShare_BulkSMB", RiskScore = 75
| sort - RiskScore

critical severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon (Sumo Logic collector) Windows Event Logs via Sumo Logic collector

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*wineventlog*

False Positives

System administrators downloading and running PsExec directly from their browser to %USERPROFILE%\Downloads before moving it to a proper tools directory
Automated RMM tools (ConnectWise, Kaseya) that create short-lived PSEXESVC service entries during remote command execution on managed endpoints
Domain group policy or login scripts that trigger multiple SMB connections at logon time, generating burst SMB traffic that exceeds the threshold

Google Chronicle / SecOps

yaral

rule threat_lateral_movement_smb_psexec {
  meta:
    name = "THREAT-LateralMovement-SMBPsExec"
    description = "Detects lateral movement via SMB and PsExec-style remote execution — PsExec/PAExec from non-standard paths, PSEXESVC service creation, and bulk Admin share access"
    author = "df00tech Detection Engineering"
    date = "2026-04-24"
    mitre_attack = "T1021.002, T1570, T1543.003"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://www.ncsc.gov.uk/news/akira-ransomware"

  events:
    // Signal 1: PsExec/PAExec execution from user-writable staging path
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname = $hostname
    $proc.target.process.file.full_path = /(?i)(psexec\.exe|psexec64\.exe|paexec\.exe|remcom\.exe|csexec\.exe)$/
    not $proc.target.process.file.full_path = /(?i)(\\tools\\|\\sysinternals\\|\\program files\\)/
    (
      $proc.target.process.file.full_path = /(?i)\\users\\/
      or $proc.target.process.file.full_path = /(?i)\\temp\\/
      or $proc.target.process.file.full_path = /(?i)\\programdata\\/
      or $proc.target.process.file.full_path = /(?i)\\appdata\\/
      or $proc.target.process.file.full_path = /(?i)\\public\\/
    )

  match:
    $hostname over 30m

  condition:
    $proc
}

rule threat_psexesvc_service_creation {
  meta:
    name = "THREAT-PSEXESVC-ServiceCreation"
    description = "Detects PSEXESVC service being installed on the target host — server-side PsExec indicator with highest fidelity for remote execution lateral movement"
    author = "df00tech Detection Engineering"
    date = "2026-04-24"
    mitre_attack = "T1021.002, T1543.003"
    severity = "CRITICAL"
    confidence = "HIGH"

  events:
    $svc.metadata.event_type = "SERVICE_CREATION"
    $svc.target.resource.name = /(?i)(psexesvc|paexec|remcom)/
    $svc.principal.hostname = $hostname

  match:
    $hostname over 5m

  condition:
    $svc
}

rule threat_bulk_smb_admin_share_access {
  meta:
    name = "THREAT-BulkSMB-AdminShare"
    description = "Detects bulk outbound SMB connections from a single host to multiple internal targets — characteristic of PsExec-based lateral movement scanning"
    author = "df00tech Detection Engineering"
    date = "2026-04-24"
    mitre_attack = "T1021.002"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.network.application_protocol = "SMB"
    $net.principal.hostname = $src_host
    $net.target.ip = $dst_ip
    not $net.principal.process.file.full_path = /(?i)(svchost\.exe|lsass\.exe)/

  match:
    $src_host over 15m

  outcome:
    $unique_targets = count_distinct($dst_ip)

  condition:
    #net >= 5 and $unique_targets >= 3
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs via Chronicle forwarder Microsoft Defender for Endpoint via Chronicle integration Windows Sysmon via Chronicle

Required Tables

UDM events: PROCESS_LAUNCH, SERVICE_CREATION, NETWORK_CONNECTION

False Positives

IT administrators intentionally running PsExec from non-standard paths during rapid incident response or emergency remote remediation tasks
Software deployment systems (SCCM, Intune) that temporarily install PSEXESVC during legitimate managed software push operations
Domain controllers generating high volumes of SMB connections during Group Policy processing, SYSVOL replication, or DFS namespace referrals

CrowdStrike LogScale (CQL)

cql

// Signal 1: PsExec/PAExec execution from suspicious staging paths
#event_simpleName = "ProcessRollup2"
| FileName = /(?i)^(psexec\.exe|psexec64\.exe|paexec\.exe|remcom\.exe|csexec\.exe)$/
| ImageFileName != /(?i)(\\tools\\|\\sysinternals\\|\\program files\\)/
| ImageFileName = /(?i)(\\users\\|\\windows\\temp\\|\\programdata\\|\\appdata\\|\\public\\)/
| groupBy([ComputerName, UserName, FileName, ImageFileName, CommandLine], function=[
    count(aid, as=EventCount),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| eval ThreatType = "LateralMovement_PsExec_SuspiciousPath"
| eval RiskScore = 85
| sort(RiskScore, order=desc)

// Signal 2: PSEXESVC service creation
#event_simpleName = "ServiceInstalled"
| ServiceName = /(?i)^(psexesvc|paexec|remcom)$/
| groupBy([ComputerName, ServiceName, ServiceImagePath, UserName], function=[
    count(aid, as=Instances),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| eval ThreatType = "LateralMovement_PSEXESVC_RemoteService"
| eval RiskScore = 90
| sort(RiskScore, order=desc)

// Signal 3: Bulk outbound SMB connections from single host
#event_simpleName = "NetworkConnectIP4"
| RemotePort in (445, 139)
| LocalAddressIP4 != RemoteAddressIP4
| ImageFileName != /(?i)(\\windows\\system32\\svchost\.exe|\\windows\\system32\\lsass\.exe)/
| RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
| groupBy([ComputerName, UserName, ImageFileName], function=[
    count(RemoteAddressIP4, as=Connections),
    countDistinct(RemoteAddressIP4, as=UniqueHosts),
    collect(RemoteAddressIP4, as=TargetIPs, limit=20)
  ])
| Connections >= 5 or UniqueHosts >= 3
| eval ThreatType = "LateralMovement_AdminShare_BulkSMB"
| eval RiskScore = 75
| sort(RiskScore, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Platform Falcon Insight XDR (EDR telemetry) CrowdStrike LogScale SIEM

Required Tables

ProcessRollup2 ServiceInstalled NetworkConnectIP4

False Positives

Red team or purple team exercises where PsExec is deliberately staged in temp directories to simulate adversary tradecraft — should be excluded by sensor tag or host group
MSP remote management tooling that wraps PsExec or uses PSEXESVC internally for scripted patch deployment across customer endpoints
Vulnerability scanners or asset management platforms (Tenable, Qualys) that initiate authenticated SMB connections to multiple hosts in bulk during scheduled scan windows

Lateral Movement via SMB and PsExec-Style Remote Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Lateral Movement

Popular Detections