Detecting Lateral Movement with SMB and WinRM Telemetry
Lateral movement is the point where an intrusion turns into a breach. Two of the most common Windows pathways are SMB (port 445) and WinRM (ports 5985 and 5986). If you can monitor how these protocols are used, you can detect attackers moving between hosts before they reach critical assets.
This post focuses on practical telemetry: Windows Security logs, Sysmon, and a few high value correlations. The goal is to produce actionable detections, not just raw event noise.
Baseline the lab
Start with a small Active Directory lab. Create at least two member servers and one workstation. Ensure Sysmon is deployed and WEF is forwarding to a collector. In addition, collect Security log events 4624 (logon), 4672 (privileged logon), and 4688 (process creation).
SMB and WinRM are legitimate admin tools, so you need a baseline. Identify which hosts normally initiate admin sessions and which accounts are used. Any deviation is a strong signal.
Key events for SMB
SMB lateral movement typically produces these signals:
- 4624 logon type 3 (network logon) on the target
- 4672 for privileged accounts
- 4688 process creation of
cmd.exe,psexecsvc.exe, orwmic.exe - Sysmon Event ID 3 with destination port 445
If you also collect network logs, you can correlate a new SMB session with a new process on the target within a small time window.
Key events for WinRM
WinRM uses HTTP(S) and is common in modern admin workflows. The traces you want are:
- 4624 logon type 3 on the target
- PowerShell operational logs for remote session creation
- Sysmon Event ID 1 for
wsmprovhost.exeorpowershell.exe - Sysmon Event ID 3 for destination port 5985 or 5986
WinRM is often used by automation tools, so pay attention to service accounts and scheduled tasks that legitimately use it.
Additional Windows events to include
If you only collect a handful of event IDs, add these:
- 7045 (Service creation) in the System log. This is common with PsExec and remote service installs.
- 4697 (Service installation) in the Security log.
- 4720/4728 (User and group changes) for persistence that often follows lateral movement.
- 1102 (Audit log cleared) as a potential covering tracks signal.
These events provide the context that tells you what happened after the remote logon, which is often more actionable than the logon itself.
SMB signing and authentication context
If SMB signing is disabled, an attacker can perform relay attacks that look like normal logons. Enable SMB signing where possible and track the Authentication Package and Logon Process fields in 4624 events. NTLM logons from unexpected hosts are high risk, especially when Kerberos should be available.
For labs, you can simulate this by forcing NTLM on a test host and verifying that the logon process changes. This gives you a baseline to detect NTLM fallback in production.
Network telemetry cross-check
If you have Zeek or Suricata, add network context. SMB connections will show up as a spike in conn.log for port 445, and WinRM will show up on 5985 or 5986. Correlate these with host logons to confirm the source and destination pair.
This is especially useful when host logs are incomplete. A host might miss Event ID 4688 due to log size limits, but the network sensor will still show the connection. Combining both gives you more reliable detection.
Tool-specific artifacts
Common lateral movement tools leave unique traces. PsExec installs a temporary service (PSEXESVC) and writes an executable to ADMIN$. WMI creates wmic.exe or wmiprvse.exe activity on the target. WinRM often spawns wsmprovhost.exe. Track these artifacts because they often appear even when other logs are sparse.
In a lab, trigger each tool once and record the exact event IDs and file paths. Then write a detection that looks for those artifacts plus a remote logon. This provides a concrete signal that is easy to validate and reduces false positives from generic 4624 events.
Correlation logic
A simple correlation can be expressed as: a new network logon to a host followed by process creation of remote execution tooling within 5 minutes, with a matching network connection to the same host.
Here is a Sigma-like pseudo rule for a lab SIEM:
1
2
3
4
5
6
7
8
9
10
11
12
title: Suspicious SMB Lateral Movement
logsource:
product: windows
category: process_creation
selection:
Image|endswith:
- "\\cmd.exe"
- "\\psexec.exe"
- "\\wmic.exe"
ParentImage|endswith:
- "\\services.exe"
condition: selection
Pair this with a network detection that watches for SMB connections initiated by non-admin workstations.
Practical KQL example
If you are using OpenSearch or another SIEM with KQL support, this query finds remote logons followed by process creation within 5 minutes.
1
2
3
4
5
EventID:4624 AND LogonType:3 AND TargetUserName:*
| join kind=inner (
EventID:4688 AND (ProcessName:"cmd.exe" OR ProcessName:"psexec.exe" OR ProcessName:"wmic.exe")
) on Computer
| where datetime_diff("minute", TimeGenerated, TimeGenerated1) <= 5
You can tighten this by excluding known admin hosts or by limiting it to hosts that rarely receive remote logons.
Enrichment and context
Add context to reduce false positives:
- Tag admin jump hosts and allow their activity.
- Flag remote logons from user workstations as higher risk.
- Track service accounts and alert if they appear on new hosts.
- Correlate with DNS to see if the source host was recently resolving unusual domains.
Lab validation
Test your detection by using psexec or a simple WinRM session to a member server. Verify the logon event and the process creation event appear and that the correlation query returns a hit.
For WinRM, a simple test command from a workstation looks like this:
1
Invoke-Command -ComputerName srv01 -ScriptBlock { hostname }
You should see wsmprovhost.exe on the target and a new network logon from the source.
Lab checklist
Use this list to validate your lateral movement detections:
- Trigger a PsExec session and confirm service creation (7045) on the target.
- Run a WinRM command and verify
wsmprovhost.exeplus 4624 logon type 3. - Correlate the host logon with a network connection on ports 445 or 5985.
- Confirm your alert excludes known admin jump hosts and service accounts.
Takeaways
Lateral movement detection is not about one perfect log source. It is about combining weak signals into a strong pattern. SMB and WinRM are common pathways, so build detections around them, validate in a lab, and iterate on baselines. If you can do that, you will catch a large class of real world intrusions early in the kill chain.