Detect Lateral Movement via SMB and PsExec-Style Remote Execution in Google Chronicle
SMB-based lateral movement using PsExec, PAExec, or RemCom is the dominant lateral movement technique in ransomware deployments by Akira, Black Basta, and LockBit affiliates. The attacker gains initial credentials (via spray, phishing, or VPN compromise), then uses remote execution tools to install and run payloads on other hosts across the domain — typically targeting domain controllers first for maximum impact. Key behavioural indicators: (1) PsExec binary appearing in user temp directories rather than System32 (attackers drop it from a C2 payload); (2) PSEXESVC service being created on remote hosts — the server-side component of PsExec; (3) Admin share (ADMIN$) access used to copy the execution wrapper; (4) Use of Windows Management Instrumentation (WMI) or WinRM as alternatives when PsExec is blocked. NCSC has observed Akira affiliates using this exact pattern against UK SMBs since 2023.
MITRE ATT&CK
- Tactic
- Lateral Movement Execution
YARA-L Detection Query
rule threat_lateral_movement_smb_psexec {
meta:
name = "THREAT-LateralMovement-SMBPsExec"
description = "Detects lateral movement via SMB and PsExec-style remote execution — PsExec/PAExec from non-standard paths, PSEXESVC service creation, and bulk Admin share access"
author = "df00tech Detection Engineering"
date = "2026-04-24"
mitre_attack = "T1021.002, T1570, T1543.003"
severity = "CRITICAL"
confidence = "HIGH"
reference = "https://www.ncsc.gov.uk/news/akira-ransomware"
events:
// Signal 1: PsExec/PAExec execution from user-writable staging path
$proc.metadata.event_type = "PROCESS_LAUNCH"
$proc.principal.hostname = $hostname
$proc.target.process.file.full_path = /(?i)(psexec\.exe|psexec64\.exe|paexec\.exe|remcom\.exe|csexec\.exe)$/
not $proc.target.process.file.full_path = /(?i)(\\tools\\|\\sysinternals\\|\\program files\\)/
(
$proc.target.process.file.full_path = /(?i)\\users\\/
or $proc.target.process.file.full_path = /(?i)\\temp\\/
or $proc.target.process.file.full_path = /(?i)\\programdata\\/
or $proc.target.process.file.full_path = /(?i)\\appdata\\/
or $proc.target.process.file.full_path = /(?i)\\public\\/
)
match:
$hostname over 30m
condition:
$proc
}
rule threat_psexesvc_service_creation {
meta:
name = "THREAT-PSEXESVC-ServiceCreation"
description = "Detects PSEXESVC service being installed on the target host — server-side PsExec indicator with highest fidelity for remote execution lateral movement"
author = "df00tech Detection Engineering"
date = "2026-04-24"
mitre_attack = "T1021.002, T1543.003"
severity = "CRITICAL"
confidence = "HIGH"
events:
$svc.metadata.event_type = "SERVICE_CREATION"
$svc.target.resource.name = /(?i)(psexesvc|paexec|remcom)/
$svc.principal.hostname = $hostname
match:
$hostname over 5m
condition:
$svc
}
rule threat_bulk_smb_admin_share_access {
meta:
name = "THREAT-BulkSMB-AdminShare"
description = "Detects bulk outbound SMB connections from a single host to multiple internal targets — characteristic of PsExec-based lateral movement scanning"
author = "df00tech Detection Engineering"
date = "2026-04-24"
mitre_attack = "T1021.002"
severity = "HIGH"
confidence = "MEDIUM"
events:
$net.metadata.event_type = "NETWORK_CONNECTION"
$net.network.application_protocol = "SMB"
$net.principal.hostname = $src_host
$net.target.ip = $dst_ip
not $net.principal.process.file.full_path = /(?i)(svchost\.exe|lsass\.exe)/
match:
$src_host over 15m
outcome:
$unique_targets = count_distinct($dst_ip)
condition:
#net >= 5 and $unique_targets >= 3
}Three Chronicle YARA-L 2.0 rules covering SMB/PsExec lateral movement: (1) PsExec-family execution from user-writable staging paths, (2) PSEXESVC service creation as high-fidelity remote execution indicator, (3) bulk Admin share access pattern detection. Mapped to T1021.002, T1570, T1543.003.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators intentionally running PsExec from non-standard paths during rapid incident response or emergency remote remediation tasks
- Software deployment systems (SCCM, Intune) that temporarily install PSEXESVC during legitimate managed software push operations
- Domain controllers generating high volumes of SMB connections during Group Policy processing, SYSVOL replication, or DFS namespace referrals
Other platforms for THREAT-LateralMovement-SMBPsExec
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PsExec Remote Command Execution for Lateral Movement Simulation
Expected signal: On source: Sysmon Event ID 1 for psexec.exe, Sysmon Event ID 3 for SMB connection to target. On target: Windows Event ID 7045 (PSEXESVC service installed), Sysmon Event ID 11 (PSEXESVC.exe created in C:\Windows\), Security Event ID 4624 (network logon).
References (5)
- https://www.ncsc.gov.uk/collection/ransomware/lateral-movement
- https://www.cisa.gov/stopransomware/akira-ransomware
- https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
- https://attack.mitre.org/techniques/T1021/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md
Unlock Pro Content
Get the full detection package for THREAT-LateralMovement-SMBPsExec including response playbook, investigation guide, and atomic red team tests.