THREAT-LateralMovement-SMBPsExec IBM QRadar · QRadar

Detect Lateral Movement via SMB and PsExec-Style Remote Execution in IBM QRadar

SMB-based lateral movement using PsExec, PAExec, or RemCom is the dominant lateral movement technique in ransomware deployments by Akira, Black Basta, and LockBit affiliates. The attacker gains initial credentials (via spray, phishing, or VPN compromise), then uses remote execution tools to install and run payloads on other hosts across the domain — typically targeting domain controllers first for maximum impact. Key behavioural indicators: (1) PsExec binary appearing in user temp directories rather than System32 (attackers drop it from a C2 payload); (2) PSEXESVC service being created on remote hosts — the server-side component of PsExec; (3) Admin share (ADMIN$) access used to copy the execution wrapper; (4) Use of Windows Management Instrumentation (WMI) or WinRM as alternatives when PsExec is blocked. NCSC has observed Akira affiliates using this exact pattern against UK SMBs since 2023.

MITRE ATT&CK

Tactic
Lateral Movement Execution

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Signal 1: PsExec/PAExec from suspicious staging paths
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Process Path" AS ProcessPath,
  QIDNAME(qid) AS EventName,
  logsourcename(logsourceid) AS LogSource,
  'LateralMovement_PsExec_SuspiciousPath' AS ThreatType,
  85 AS RiskScore
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 14)  -- Sysmon / Windows Security
  AND (
    LOWER("Process Name") LIKE '%psexec.exe'
    OR LOWER("Process Name") LIKE '%psexec64.exe'
    OR LOWER("Process Name") LIKE '%paexec.exe'
    OR LOWER("Process Name") LIKE '%remcom.exe'
  )
  AND LOWER("Process Path") NOT LIKE '%\tools\%'
  AND LOWER("Process Path") NOT LIKE '%\sysinternals\%'
  AND LOWER("Process Path") NOT LIKE '%\program files\%'
  AND (
    LOWER("Process Path") LIKE '%\users\%'
    OR LOWER("Process Path") LIKE '%\temp\%'
    OR LOWER("Process Path") LIKE '%\programdata\%'
    OR LOWER("Process Path") LIKE '%\appdata\%'
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 24 HOURS

UNION ALL

-- Signal 2: PSEXESVC service creation (Windows Event 7045)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceHost,
  username AS AccountName,
  "Service Name" AS ProcessName,
  '' AS ProcessPath,
  QIDNAME(qid) AS EventName,
  logsourcename(logsourceid) AS LogSource,
  'LateralMovement_PSEXESVC_RemoteService' AS ThreatType,
  90 AS RiskScore
FROM events
WHERE
  EventID = 7045
  AND (
    LOWER("Service Name") = 'psexesvc'
    OR LOWER("Service Name") = 'paexec'
    OR LOWER("Service Name") = 'remcom'
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 24 HOURS
critical severity high confidence

QRadar AQL detection for SMB/PsExec lateral movement. Signal 1 identifies PsExec-family binaries executing from user writable staging paths. Signal 2 identifies PSEXESVC service creation (Event ID 7045) on the target host, the definitive server-side PsExec indicator.

Data Sources

IBM QRadar SIEMWindows Security Event Logs (WinCollect)Sysmon log source via QRadar DSM

Required Tables

events

False Positives & Tuning

  • IT helpdesk staff running PsExec from their user profile Downloads folder during support tasks — exclude by known admin source IPs or accounts
  • Legitimate PSEXESVC service creation during authorised remote administration by domain admins — whitelist by service account username
  • Security tooling that uses RemCom as an open-source PsExec alternative for legitimate remote execution in managed environments
Download portable Sigma rule (.yml)

Other platforms for THREAT-LateralMovement-SMBPsExec

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PsExec Remote Command Execution for Lateral Movement Simulation

    Expected signal: On source: Sysmon Event ID 1 for psexec.exe, Sysmon Event ID 3 for SMB connection to target. On target: Windows Event ID 7045 (PSEXESVC service installed), Sysmon Event ID 11 (PSEXESVC.exe created in C:\Windows\), Security Event ID 4624 (network logon).

Last updated: 2026-04-24 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-LateralMovement-SMBPsExec including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021.002SMB/Windows Admin Shares

Related Techniques

T1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1047Windows Management InstrumentationT1570Lateral Tool TransferT1486Data Encrypted for ImpactT1078.002Domain Accounts

Same Tactic: Lateral Movement

Popular Detections