Detect Lateral Movement via SMB and PsExec-Style Remote Execution in Elastic Security
SMB-based lateral movement using PsExec, PAExec, or RemCom is the dominant lateral movement technique in ransomware deployments by Akira, Black Basta, and LockBit affiliates. The attacker gains initial credentials (via spray, phishing, or VPN compromise), then uses remote execution tools to install and run payloads on other hosts across the domain — typically targeting domain controllers first for maximum impact. Key behavioural indicators: (1) PsExec binary appearing in user temp directories rather than System32 (attackers drop it from a C2 payload); (2) PSEXESVC service being created on remote hosts — the server-side component of PsExec; (3) Admin share (ADMIN$) access used to copy the execution wrapper; (4) Use of Windows Management Instrumentation (WMI) or WinRM as alternatives when PsExec is blocked. NCSC has observed Akira affiliates using this exact pattern against UK SMBs since 2023.
MITRE ATT&CK
- Tactic
- Lateral Movement Execution
Elastic Detection Query
sequence by host.name with maxspan=30m
[process where event.type == "start" and
process.name in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe") and
not process.executable like~ ("*\\Tools\\*", "*\\Sysinternals\\*", "*\\Program Files\\Sysinternals*")]
[file where event.type == "creation" and
file.name like~ "PSEXESVC.exe"]
// Alternatively, individual signal queries:
// Signal 1: PsExec from suspicious paths
process where event.type == "start" and
process.name in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe", "csexec.exe") and
not process.executable like~ ("*\\Tools\\*", "*\\Sysinternals\\*", "*\\Program Files\\*") and
process.executable like~ ("*\\Users\\*", "*\\Temp\\*", "*\\ProgramData\\*", "*\\AppData\\*", "*\\Public\\*")
// Signal 2: PSEXESVC service registration
process where event.type == "start" and process.name == "PSEXESVC.exe"
// Signal 3: Bulk SMB lateral movement
network where event.type == "connection" and
destination.port in (445, 139) and
network.direction == "outbound" and
not process.name in~ ("svchost.exe", "lsass.exe", "System") and
network.type == "ipv4"Detects lateral movement via SMB/PsExec-style remote execution by monitoring for PsExec/PAExec/RemCom execution from non-standard paths, PSEXESVC service creation, and bulk SMB connections to internal hosts. Covers Akira, Black Basta, and LockBit ransomware affiliate TTPs.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT administrators running PsExec from a local downloads or desktop folder during ad-hoc remediation tasks
- Automated patch management tools (e.g., SCCM, PDQ Deploy) that stage execution binaries in ProgramData before running them
- Penetration test engagements where testers deliberately drop PsExec to workstations — should be excluded by source IP or user account
Other platforms for THREAT-LateralMovement-SMBPsExec
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PsExec Remote Command Execution for Lateral Movement Simulation
Expected signal: On source: Sysmon Event ID 1 for psexec.exe, Sysmon Event ID 3 for SMB connection to target. On target: Windows Event ID 7045 (PSEXESVC service installed), Sysmon Event ID 11 (PSEXESVC.exe created in C:\Windows\), Security Event ID 4624 (network logon).
References (5)
- https://www.ncsc.gov.uk/collection/ransomware/lateral-movement
- https://www.cisa.gov/stopransomware/akira-ransomware
- https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
- https://attack.mitre.org/techniques/T1021/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md
Unlock Pro Content
Get the full detection package for THREAT-LateralMovement-SMBPsExec including response playbook, investigation guide, and atomic red team tests.