Detect Lateral Movement via SMB and PsExec-Style Remote Execution in Splunk
SMB-based lateral movement using PsExec, PAExec, or RemCom is the dominant lateral movement technique in ransomware deployments by Akira, Black Basta, and LockBit affiliates. The attacker gains initial credentials (via spray, phishing, or VPN compromise), then uses remote execution tools to install and run payloads on other hosts across the domain — typically targeting domain controllers first for maximum impact. Key behavioural indicators: (1) PsExec binary appearing in user temp directories rather than System32 (attackers drop it from a C2 payload); (2) PSEXESVC service being created on remote hosts — the server-side component of PsExec; (3) Admin share (ADMIN$) access used to copy the execution wrapper; (4) Use of Windows Management Instrumentation (WMI) or WinRM as alternatives when PsExec is blocked. NCSC has observed Akira affiliates using this exact pattern against UK SMBs since 2023.
MITRE ATT&CK
- Tactic
- Lateral Movement Execution
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
(
EventCode=1
(Image="*\\psexec.exe" OR Image="*\\psexec64.exe" OR Image="*\\paexec.exe" OR Image="*\\remcom.exe")
NOT (Image="*\\Tools\\*" OR Image="*\\Sysinternals\\*" OR Image="*\\Program Files\\*")
)
OR
(
EventCode=11
TargetFilename="*\\PSEXESVC.exe"
)
OR
(
EventCode=3
DestinationPort IN (445, 139)
NOT (Image="*\\svchost.exe" OR Image="*\\lsass.exe")
)
)
| eval ThreatIndicator=case(
match(Image, "(?i)(psexec|paexec|remcom)") AND NOT match(Image, "(?i)(Tools|Sysinternals|Program.Files)"),
"PsExec_SuspiciousPath",
match(TargetFilename, "(?i)PSEXESVC"), "PSEXESVC_Dropped",
EventCode=3 AND DestinationPort IN (445, 139), "SMB_LateralMove",
true(), "Other"
)
| eval RiskScore=case(
ThreatIndicator="PSEXESVC_Dropped", 90,
ThreatIndicator="PsExec_SuspiciousPath", 85,
ThreatIndicator="SMB_LateralMove", 70,
true(), 50
)
| stats count AS Events,
values(ThreatIndicator) AS Indicators,
values(Image) AS Processes,
max(RiskScore) AS MaxRisk
BY host, User, _time span=30m
| eval ThreatActors="Akira, Black Basta, LockBit"
| sort - MaxRiskSPL lateral movement detection via Sysmon. Monitors for PsExec in non-standard paths (Event ID 1), PSEXESVC.exe file creation (Event ID 11), and SMB connections from non-system processes (Event ID 3). Aggregates per host to correlate indicators.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorised PsExec from IT management workstations
- SCCM/Ansible software deployment over SMB
Other platforms for THREAT-LateralMovement-SMBPsExec
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PsExec Remote Command Execution for Lateral Movement Simulation
Expected signal: On source: Sysmon Event ID 1 for psexec.exe, Sysmon Event ID 3 for SMB connection to target. On target: Windows Event ID 7045 (PSEXESVC service installed), Sysmon Event ID 11 (PSEXESVC.exe created in C:\Windows\), Security Event ID 4624 (network logon).
References (5)
- https://www.ncsc.gov.uk/collection/ransomware/lateral-movement
- https://www.cisa.gov/stopransomware/akira-ransomware
- https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
- https://attack.mitre.org/techniques/T1021/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md
Unlock Pro Content
Get the full detection package for THREAT-LateralMovement-SMBPsExec including response playbook, investigation guide, and atomic red team tests.