THREAT-LateralMovement-SMBPsExec Sumo Logic CSE · Sumo

Detect Lateral Movement via SMB and PsExec-Style Remote Execution in Sumo Logic CSE

SMB-based lateral movement using PsExec, PAExec, or RemCom is the dominant lateral movement technique in ransomware deployments by Akira, Black Basta, and LockBit affiliates. The attacker gains initial credentials (via spray, phishing, or VPN compromise), then uses remote execution tools to install and run payloads on other hosts across the domain — typically targeting domain controllers first for maximum impact. Key behavioural indicators: (1) PsExec binary appearing in user temp directories rather than System32 (attackers drop it from a C2 payload); (2) PSEXESVC service being created on remote hosts — the server-side component of PsExec; (3) Admin share (ADMIN$) access used to copy the execution wrapper; (4) Use of Windows Management Instrumentation (WMI) or WinRM as alternatives when PsExec is blocked. NCSC has observed Akira affiliates using this exact pattern against UK SMBs since 2023.

MITRE ATT&CK

Tactic
Lateral Movement Execution

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// Signal 1: PsExec/PAExec from suspicious locations
_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*
| where EventCode = "1" or EventCode = "4688"
| where (
    Image matches /(?i)(psexec\.exe|psexec64\.exe|paexec\.exe|remcom\.exe|csexec\.exe)$/
    or NewProcessName matches /(?i)(psexec\.exe|psexec64\.exe|paexec\.exe|remcom\.exe|csexec\.exe)$/
  )
| where !(
    Image matches /(?i)\\(tools|sysinternals|program files)/
    or NewProcessName matches /(?i)\\(tools|sysinternals|program files)/
  )
| where (
    Image matches /(?i)\\(users|temp|programdata|appdata|public)\\/
    or NewProcessName matches /(?i)\\(users|temp|programdata|appdata|public)\\/
  )
| parse field=Image "*\\*" as FolderPath, BinaryName nodrop
| parse field=NewProcessName "*\\*" as FolderPath2, BinaryName2 nodrop
| timeslice 15m
| count by _timeslice, Computer, User, Image, CommandLine
| where _count >= 1
| fields _timeslice, Computer, User, Image, CommandLine, _count
| eval ThreatType = "LateralMovement_PsExec_SuspiciousPath", RiskScore = 85
| sort - RiskScore

// Signal 2: PSEXESVC service creation
_sourceCategory=*wineventlog*system* OR _sourceCategory=*windows*sysmon*
| where EventCode = "7045" or EventCode = "4697"
| where ServiceName matches /(?i)(psexesvc|paexec|remcom)/
| timeslice 5m
| count by _timeslice, Computer, ServiceName, ServiceFileName, AccountName
| eval ThreatType = "LateralMovement_PSEXESVC_RemoteService", RiskScore = 90
| sort - RiskScore

// Signal 3: Bulk internal SMB connections
_sourceCategory=*windows*sysmon*
| where EventCode = "3"
| where DestinationPort = "445" or DestinationPort = "139"
| where !(
    Image matches /(?i)(svchost\.exe|lsass\.exe|system)/
  )
| timeslice 15m
| count as Connections, dcount(DestinationIp) as UniqueHosts by _timeslice, Computer, User, Image
| where Connections >= 5 or UniqueHosts >= 3
| eval ThreatType = "LateralMovement_AdminShare_BulkSMB", RiskScore = 75
| sort - RiskScore
critical severity high confidence

Sumo Logic detection for SMB/PsExec-style lateral movement. Three correlated signals: suspicious-path PsExec execution (Sysmon Event 1 / Security 4688), PSEXESVC service creation (Event 7045/4697), and bulk internal SMB connection patterns (Sysmon Event 3). Targets Akira and Black Basta ransomware affiliate tradecraft.

Data Sources

Sumo Logic Cloud SIEMWindows Sysmon (Sumo Logic collector)Windows Event Logs via Sumo Logic collector

Required Tables

_sourceCategory=*windows*sysmon*_sourceCategory=*wineventlog*

False Positives & Tuning

  • System administrators downloading and running PsExec directly from their browser to %USERPROFILE%\Downloads before moving it to a proper tools directory
  • Automated RMM tools (ConnectWise, Kaseya) that create short-lived PSEXESVC service entries during remote command execution on managed endpoints
  • Domain group policy or login scripts that trigger multiple SMB connections at logon time, generating burst SMB traffic that exceeds the threshold
Download portable Sigma rule (.yml)

Other platforms for THREAT-LateralMovement-SMBPsExec

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PsExec Remote Command Execution for Lateral Movement Simulation

    Expected signal: On source: Sysmon Event ID 1 for psexec.exe, Sysmon Event ID 3 for SMB connection to target. On target: Windows Event ID 7045 (PSEXESVC service installed), Sysmon Event ID 11 (PSEXESVC.exe created in C:\Windows\), Security Event ID 4624 (network logon).

Last updated: 2026-04-24 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-LateralMovement-SMBPsExec including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021.002SMB/Windows Admin Shares

Related Techniques

T1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1047Windows Management InstrumentationT1570Lateral Tool TransferT1486Data Encrypted for ImpactT1078.002Domain Accounts

Same Tactic: Lateral Movement

Popular Detections