2024-12-01 // Security Team
Lateral Movement via PsExec
Microsoft SentinelDetects use of PsExec or similar remote execution tools for lateral movement, based on characteristic service creation events and named pipe patterns.
lateral-movementpsexecwindowssentinelmitre-t1570
Overview
PsExec is commonly abused by threat actors for lateral movement. This detection correlates Windows Security event 7045 (service installation) with network logon events and the presence of the PSEXESVC service.
Query
let timeframe = 1h;
let psexec_services = SecurityEvent
| where TimeGenerated > ago(timeframe)
| where EventID == 7045
| where ServiceName has_any ("PSEXESVC", "psexec")
| project TimeGenerated, Computer, ServiceName, ServiceFileName, SubjectUserName;
let network_logons = SecurityEvent
| where TimeGenerated > ago(timeframe)
| where EventID == 4624
| where LogonType == 3
| project LogonTime=TimeGenerated, Computer, TargetUserName, IpAddress;
psexec_services
| join kind=inner (network_logons) on Computer
| where LogonTime between (TimeGenerated .. (TimeGenerated + 5m))
| project TimeGenerated, Computer, ServiceName, SubjectUserName, TargetUserName, IpAddress
| extend MitreTactic = "Lateral Movement"
| extend MitreTechnique = "T1570"
Logic Explanation
The rule correlates service creation events for PSEXESVC with Type 3 (network) logon events on the same host within a 5-minute window. This reduces false positives from legitimate admin use while catching the telltale sequence of PsExec execution.
Tuning Notes
- Add exclusions for known admin jump hosts:
| where IpAddress !in ("10.1.1.50","10.1.1.51") - Combine with process creation events (4688) for higher fidelity
- Monitor for renamed PsExec binaries via hash matching
References
- MITRE ATT&CK: T1570 - Lateral Tool Transfer
- MITRE ATT&CK: T1021.002 - Remote Services: SMB/Windows Admin Shares