THREAT-LateralMovement-SMBPsExec CrowdStrike LogScale · LogScale

Detect Lateral Movement via SMB and PsExec-Style Remote Execution in CrowdStrike LogScale

SMB-based lateral movement using PsExec, PAExec, or RemCom is the dominant lateral movement technique in ransomware deployments by Akira, Black Basta, and LockBit affiliates. The attacker gains initial credentials (via spray, phishing, or VPN compromise), then uses remote execution tools to install and run payloads on other hosts across the domain — typically targeting domain controllers first for maximum impact. Key behavioural indicators: (1) PsExec binary appearing in user temp directories rather than System32 (attackers drop it from a C2 payload); (2) PSEXESVC service being created on remote hosts — the server-side component of PsExec; (3) Admin share (ADMIN$) access used to copy the execution wrapper; (4) Use of Windows Management Instrumentation (WMI) or WinRM as alternatives when PsExec is blocked. NCSC has observed Akira affiliates using this exact pattern against UK SMBs since 2023.

MITRE ATT&CK

Tactic
Lateral Movement Execution

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Signal 1: PsExec/PAExec execution from suspicious staging paths
#event_simpleName = "ProcessRollup2"
| FileName = /(?i)^(psexec\.exe|psexec64\.exe|paexec\.exe|remcom\.exe|csexec\.exe)$/
| ImageFileName != /(?i)(\\tools\\|\\sysinternals\\|\\program files\\)/
| ImageFileName = /(?i)(\\users\\|\\windows\\temp\\|\\programdata\\|\\appdata\\|\\public\\)/
| groupBy([ComputerName, UserName, FileName, ImageFileName, CommandLine], function=[
    count(aid, as=EventCount),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| eval ThreatType = "LateralMovement_PsExec_SuspiciousPath"
| eval RiskScore = 85
| sort(RiskScore, order=desc)

// Signal 2: PSEXESVC service creation
#event_simpleName = "ServiceInstalled"
| ServiceName = /(?i)^(psexesvc|paexec|remcom)$/
| groupBy([ComputerName, ServiceName, ServiceImagePath, UserName], function=[
    count(aid, as=Instances),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| eval ThreatType = "LateralMovement_PSEXESVC_RemoteService"
| eval RiskScore = 90
| sort(RiskScore, order=desc)

// Signal 3: Bulk outbound SMB connections from single host
#event_simpleName = "NetworkConnectIP4"
| RemotePort in (445, 139)
| LocalAddressIP4 != RemoteAddressIP4
| ImageFileName != /(?i)(\\windows\\system32\\svchost\.exe|\\windows\\system32\\lsass\.exe)/
| RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
| groupBy([ComputerName, UserName, ImageFileName], function=[
    count(RemoteAddressIP4, as=Connections),
    countDistinct(RemoteAddressIP4, as=UniqueHosts),
    collect(RemoteAddressIP4, as=TargetIPs, limit=20)
  ])
| Connections >= 5 or UniqueHosts >= 3
| eval ThreatType = "LateralMovement_AdminShare_BulkSMB"
| eval RiskScore = 75
| sort(RiskScore, order=desc)
critical severity high confidence

CrowdStrike LogScale (Falcon) detection for SMB/PsExec lateral movement. Uses Falcon telemetry event types ProcessRollup2, ServiceInstalled, and NetworkConnectIP4. Detects PsExec-family binaries from staging paths, PSEXESVC service creation, and bulk internal SMB connectivity patterns matching Akira/Black Basta ransomware affiliate techniques.

Data Sources

CrowdStrike Falcon PlatformFalcon Insight XDR (EDR telemetry)CrowdStrike LogScale SIEM

Required Tables

ProcessRollup2ServiceInstalledNetworkConnectIP4

False Positives & Tuning

  • Red team or purple team exercises where PsExec is deliberately staged in temp directories to simulate adversary tradecraft — should be excluded by sensor tag or host group
  • MSP remote management tooling that wraps PsExec or uses PSEXESVC internally for scripted patch deployment across customer endpoints
  • Vulnerability scanners or asset management platforms (Tenable, Qualys) that initiate authenticated SMB connections to multiple hosts in bulk during scheduled scan windows
Download portable Sigma rule (.yml)

Other platforms for THREAT-LateralMovement-SMBPsExec

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PsExec Remote Command Execution for Lateral Movement Simulation

    Expected signal: On source: Sysmon Event ID 1 for psexec.exe, Sysmon Event ID 3 for SMB connection to target. On target: Windows Event ID 7045 (PSEXESVC service installed), Sysmon Event ID 11 (PSEXESVC.exe created in C:\Windows\), Security Event ID 4624 (network logon).

Last updated: 2026-04-24 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-LateralMovement-SMBPsExec including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021.002SMB/Windows Admin Shares

Related Techniques

T1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1047Windows Management InstrumentationT1570Lateral Tool TransferT1486Data Encrypted for ImpactT1078.002Domain Accounts

Same Tactic: Lateral Movement

Popular Detections