This note documents detection patterns related to Remote Execution within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects remote execution binaries and resulting commands. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for remotely spawned processes. |
| Security | 4624 | Successful logon | Critical | Logon type often reveals remote execution context. |
| Security | 4648 | Explicit credentials used | Critical | Strong remote execution precursor. |
| Sysmon | 3 | Network connection | High | RPC / SMB / WinRM / WMI communication. |
| Security | 4697 | Service installed | High | PsExec-style service creation. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Remote admin tool launches shell | cmd / powershell from service/WMI | Critical | Core remote execution signal. |
| New service appears briefly | Temporary service for payload | Critical | PsExec pattern. |
| Explicit creds before execution | 4648 before remote action | Critical | Strong operator chain. |
| wmiprvse child shell | WMI remote execution | Critical | Very high-value clue. |
| WinRM parent chain | wsmprovhost spawning shell | Critical | Common enterprise abuse. |
| Admin share touch before execution | ADMIN$ activity | High | Deployment clue. |
Common Tools
| Tool | Usage |
|---|---|
| PsExec | Service-based remote shell |
| wmiexec | WMI command execution |
| WinRM | Remote PowerShell |
| schtasks | Remote scheduled execution |
| sc.exe | Remote service launch |
Relevant Artifacts
- Security Event IDs 4688, 4624, 4648, 4697
- Sysmon Event IDs 1, 3
- Prefetch:
PSEXESVC.EXESC.EXESCHTASKS.EXE
- WMI activity logs
- WinRM logs
- ADMIN$ artifacts
- EDR process tree
MITRE ATT&CK References
- T1021 Remote Services
- T1047 Windows Management Instrumentation
- T1569 Service Execution
Decision Tree
-
Which remote method?
- Service
- WMI
- WinRM
- Scheduled task
-
Authentication observed?
- 4624
- 4648
-
Parent process suspicious?
- services.exe
- wmiprvse.exe
- wsmprovhost.exe
-
Follow-up activity?
- Enumeration
- Dumping
- Persistence
-
Expand:
- Source host
- Shares
- Credentials used
-
Scope:
- Single remote action
- Multi-host spread
- Automation chain
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where ParentProcessName has_any ("wmiprvse.exe","services.exe","wsmprovhost.exe")
| project TimeGenerated, Computer, ParentProcessName, NewProcessName, CommandLine
SecurityEvent
| where EventID in (4648,4697)
| project TimeGenerated, Computer, Account, EventID
EQL
process where process.parent.name in ("wmiprvse.exe","services.exe","wsmprovhost.exe")
sequence by host.name with maxspan=10m
[ authentication where event.code == "4648" ]
[ process where process.parent.name in ("wmiprvse.exe","services.exe") ]
Sigma
title: Remote Execution Detection
id: 6c4e2a11-remote-exec
status: experimental
description: Detects suspicious remote command execution patterns
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
ParentProcessName|endswith:
- '\wmiprvse.exe'
- '\services.exe'
- '\wsmprovhost.exe'
condition: selection
fields:
- ParentProcessName
- NewProcessName
- CommandLine
falsepositives:
- Legitimate administration
level: high
tags:
- attack.execution
- attack.lateral_movement
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Alert on remote parents | Watch wmiprvse/services/wsmprovhost | Critical | Strong signal |
| Correlate 4648 + execution | High-confidence chain | Critical | Excellent triage anchor |
| Monitor temporary services | Detect PsExec pattern | High | Valuable indicator |
| Restrict remote admin paths | Reduce abuse surface | High | Prevent misuse |
| Preserve source host context | Essential for reconstruction | Critical | Scope attacker reach |