title: Lateral Movement via SMB and PsExec-Style Remote Execution (THREAT-LateralMovement-SMBPsExec)
id: df00tech-threat-lateralmovement-smbpsexec
status: experimental
description: "SMB-based lateral movement using PsExec, PAExec, or RemCom is the dominant lateral movement technique in ransomware deployments by Akira, Black Basta, and LockBit affiliates. The attacker gains initial credentials (via spray, phishing, or VPN compromise), then uses remote execution tools to install and run payloads on other hosts across the domain — typically targeting domain controllers first for maximum impact. Key behavioural indicators: (1) PsExec binary appearing in user temp directories rather than System32 (attackers drop it from a C2 payload); (2) PSEXESVC service being created on remote hosts — the server-side component of PsExec; (3) Admin share (ADMIN$) access used to copy the execution wrapper; (4) Use of Windows Management Instrumentation (WMI) or WinRM as alternatives when PsExec is blocked. NCSC has observed Akira affiliates using this exact pattern against UK SMBs since 2023."
references:
  - https://attack.mitre.org/techniques/THREAT-LateralMovement-SMBPsExec/
  - https://df00tech.com/detections/THREAT-LateralMovement-SMBPsExec
author: df00tech
date: 2026/04/24
tags:
  - attack.threat-lateralmovement-smbpsexec
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorised IT administrators using PsExec from Sysinternals for remote administration from approved management workstations
  - "Software deployment tools (SCCM, Ansible, Puppet) that use WMI or SMB for mass package deployment"
  - Domain join and Group Policy application traffic over SMB (exclude SYSTEM and svchost.exe as initiators)
  - "Enterprise backup agents (Veeam, Backup Exec) that access admin shares during backup jobs"
level: high