This note documents detection patterns related to SMBExec within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | High | Network logon using admin credentials to remote host. |
| Security | 4672 | Special privileges assigned | High | Administrative privileges used for remote execution. |
| Security | 7045 | Service installed | Critical | Temporary service created by SMBExec for command execution. |
| Security | 5140 | Network share accessed | Medium | Access to ADMIN$ share during execution. |
| Sysmon | 1 | Process creation | High | cmd.exe spawned via temporary service. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Temporary service creation | Short‑lived service executing cmd.exe | Critical | Typical SMBExec behavior. |
| ADMIN$ share access | Remote admin share usage | High | Used for payload delivery. |
| Service install followed by deletion | Service created then removed quickly | High | Common lateral movement pattern. |
Common Tools
| Tool | Usage |
|---|---|
| Impacket smbexec.py | Remote command execution via SMB service creation. |
| CrackMapExec | Automates SMB lateral movement. |
| Metasploit psexec modules | Variants using SMB service execution. |
Relevant Artifacts
- Security logs (4624, 4672, 7045)
- SMB share access logs
- Sysmon process events
- Service creation artifacts
- EDR telemetry
MITRE ATT&CK References
- T1021.002 SMB/Windows Admin Shares
- T1569.002 Service Execution
Decision Tree
- Detect service installation event.
- Identify originating host.
- Check administrative authentication.
- Pivot to created service binary or command.
- Determine lateral movement scope.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 7045
EQL
process where event.code == "7045"
Sigma
title: SMBExec Service Execution
logsource:
product: windows
service: security
detection:
selection:
EventID: 7045
condition: selection
level: high
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| SMB restrictions | Restrict admin share access | High | Limits remote service creation. |
| Monitoring | Alert on service installations | High | Detects lateral movement. |
| Least privilege | Limit admin credentials | Critical | Reduces attack capability. |