Hunt Hypothesis

Adversaries with valid credentials or NTLM hashes are using SMB-based techniques — PsExec, Impacket’s psexec.py/wmiexec.py, or WMI — to move laterally to high-value systems without triggering perimeter controls.

This playbook is appropriate when you suspect credential compromise (e.g., after detecting LSASS dumping) or as a routine hunt against your most sensitive servers and domain controllers.

Required Data Sources

Before executing this hunt, confirm these sources are ingested:

SourceCoverage
Windows Security Event Log (4624, 4648, 4672, 7045)Authentication and service creation
Sysmon Event IDs 1, 3, 7, 13Process creation, network, image load, registry
SMB access logs (if available)File share access
DNS logsHostname resolution patterns
Windows System Event Log (7045, 7036)Service installation

Phase 1: Identify Anomalous SMB Authentication Patterns

Start broad. Look for Type 3 (network) logons from workstations to servers that are unusual for your environment.

KQL Query (Microsoft Sentinel / Defender)

SecurityEvent
| where EventID == 4624
| where LogonType == 3
| where AccountName !endswith "$"  // Exclude computer accounts
| where IpAddress !in ("127.0.0.1", "::1")
| summarize
    LogonCount = count(),
    TargetHosts = dcount(Computer),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by AccountName, IpAddress
| where TargetHosts > 3
| sort by TargetHosts desc

High counts of unique target hosts from a single source IP in a short window is a strong indicator of automated lateral movement. A human administrator doing their job will rarely authenticate to more than 3–4 systems in rapid succession.

Pivot: Privileged Logons

SecurityEvent
| where EventID in (4672, 4624)
| where LogonType == 3
| where PrivilegeList has_any ("SeDebugPrivilege", "SeTcbPrivilege", "SeBackupPrivilege")
| project TimeGenerated, Computer, AccountName, IpAddress, PrivilegeList
| sort by TimeGenerated desc

Phase 2: Detect PsExec-Style Service Creation

PsExec and its imitators (including Impacket’s psexec.py) work by:

  1. Connecting to ADMIN$ or C$ share
  2. Dropping a service binary (often randomly named)
  3. Using SCM to install and start the service
  4. Cleaning up after execution

The service creation event is often the highest-fidelity artifact.

Sysmon Process Creation (Suspicious Services)

Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| extend EventData = parse_xml(EventData)
| extend
    ParentImage = tostring(EventData.DataItem.ParentImage),
    Image = tostring(EventData.DataItem.Image),
    CommandLine = tostring(EventData.DataItem.CommandLine)
| where ParentImage endswith "services.exe"
| where Image !in (
    "C:\\Windows\\System32\\svchost.exe",
    "C:\\Windows\\System32\\lsass.exe",
    "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
  )
| project TimeGenerated, Computer, Image, CommandLine, ParentImage

Windows System Log — Service Installs

Event
| where Source == "Service Control Manager" and EventID == 7045
| extend ServiceName = extract(@"service name: (.+)", 1, RenderedDescription)
| extend ServicePath = extract(@"service file name: (.+)", 1, RenderedDescription)
| where ServicePath matches regex @"[A-Za-z0-9]{6,}\.exe"  // Random names
| where not(ServicePath startswith @"C:\Windows\")
| project TimeGenerated, Computer, ServiceName, ServicePath

Phase 3: Hunt for WMI Lateral Movement

WMI-based execution (wmiexec.py, Invoke-WMIMethod) is popular because it requires no dropped binaries — commands execute in the context of WmiPrvSE.exe.

Suspicious WmiPrvSE Child Processes

// Sysmon Event 1 — process creation
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| extend EventXml = parse_xml(EventData)
| extend
    ParentImage = tostring(EventXml.DataItem.ParentImage),
    Image = tostring(EventXml.DataItem.Image),
    CommandLine = tostring(EventXml.DataItem.CommandLine),
    User = tostring(EventXml.DataItem.User)
| where ParentImage endswith "WmiPrvSE.exe"
| where Image has_any ("cmd.exe", "powershell.exe", "whoami", "net.exe", "ipconfig", "wscript.exe")
| project TimeGenerated, Computer, User, Image, CommandLine

WmiPrvSE.exe spawning cmd.exe or powershell.exe is one of the cleaner indicators of WMI-based remote execution in the environment. Legitimate WMI automation typically doesn’t spawn interactive shells.

Phase 4: SMB Named Pipe Artifacts

PsExec uses named pipes for I/O redirection — specifically \pipe\PSEXESVC or randomly named pipes for stealth variants. Sysmon Event 17/18 (pipe creation/connection) can catch these.

Event
| where Source == "Microsoft-Windows-Sysmon" and EventID in (17, 18)
| extend PipeName = extract(@"PipeName: (.+)", 1, RenderedDescription)
| where PipeName matches regex @"^\\\\\.\\pipe\\[A-Za-z0-9]{6,10}$"  // Short random pipe names
| project TimeGenerated, Computer, EventID, PipeName

Phase 5: Impacket-Specific Indicators

Impacket’s toolset has a few telltale patterns beyond generic SMB behavior:

wmiexec.py creates a temporary output file in C:\Windows\ matching __output*:

Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 11
| extend TargetFilename = extract(@"TargetFilename: (.+)", 1, RenderedDescription)
| where TargetFilename startswith @"C:\Windows\__output"
| project TimeGenerated, Computer, TargetFilename

smbexec.py creates a batch file in C:\Windows\ and a service named BTOBTO (default):

SecurityEvent
| where EventID == 7045
| where ServiceName contains "BTOBTO"
    or ServiceFileName contains "%COMSPEC%"

Correlation: Tying It Together

The strongest signal is a chain of events within a short time window:

  1. Type 3 logon from source host
  2. Service installation within 30 seconds
  3. Suspicious process spawned by services.exe or WmiPrvSE.exe
  4. Network connections to additional internal hosts from that process

Build a timeline for each suspect source IP and look for this kill chain pattern. When present, it’s highly indicative of automated lateral movement tooling.

False Positive Baseline

Before hunting, understand your environment’s legitimate patterns:

  • SCCM/Endpoint Manager — installs services, authenticates Type 3, creates files in C:\Windows\. Know its accounts and source IPs.
  • Vulnerability scanners — will generate many Type 3 logons. Filter on known scanner IPs.
  • IT automation (Ansible, Chef, Puppet) — may use WMI or SMB. Baseline expected behavior first.

Document these exclusions in your hunt notes — they become the foundation of your long-term detection tuning.