{"id":10555,"date":"2020-07-08T09:00:00","date_gmt":"2020-07-08T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/"},"modified":"2026-05-25T10:33:03","modified_gmt":"2026-05-25T09:33:03","slug":"attack-detection-fundamentals-discovery-and-lateral-movement-lab-4","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/","title":{"rendered":"Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #4"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; <span class=\"blue-text\">Lab #4<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Network Security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                08 7\u6708, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    \u30b7\u30a7\u30a2\u3059\u308b                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#4\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #4&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_82dffe71b51364e1c62ee807f3b30cc5\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                \u30b3\u30f3\u30c6\u30f3\u30c4\u30ca\u30d3\u30b2\u30fc\u30b7\u30e7\u30f3            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    \u30bb\u30af\u30b7\u30e7\u30f3\u3092\u9078\u629e                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#4\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #4&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the third part of WithSecure Consulting&#x27;s Attack Detection Workshop series, covering Discovery and Lateral Movement, we explored a number of offensive techniques for discovering assets of value, be that users or file shares, and methods for moving between compromised hosts.<\/p>\n<p>We also explored the detection strategies that can be employed to spot these using our own detection stacks. As with previous workshops, the following blog provides a fourth step-by-step guide to recreating the demos from that Discovery and Lateral Movement workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/Pv8eHC1a_bc\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the previous labs (<a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-1\/\" target=\"_blank\" rel=\"noopener\">here<\/a>, <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-2\/\" target=\"_blank\" rel=\"noopener\">here<\/a> and <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3\/\" target=\"_blank\" rel=\"noopener\">here<\/a>), we\u2019ve looked at Discovery techniques for enumerating users and groups, and opportunities to detect this based on suspicious LDAP queries using telemetry from ETW. We also used object access audit logs for the purposes of detecting share access and our use of an exposed share for pivoting using C3. In several cases, we\u2019ve also taken a look at the code bases of our attacker tooling to identify opportunities to detect it.<\/p>\n<p>For this lab, we\u2019re going to be taking a look at the SysInternals tool, PsExec. Many will be familiar with its use amongst system administrators, and many threat actors have used it as a means of lateral movement! In terms of detection opportunities, we\u2019re going to be focusing largely on the event log entries that it produces, augmenting this with telemetry from Sysmon. The research paper on Lateral Movement from JPCERT, linked in the references below, is a definitive resource on this topic and covers many other techniques aside from PsExec.<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/psexec\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/psexec<\/a><\/li>\n<li><a href=\"https:\/\/www.jpcert.or.jp\/english\/pub\/sr\/20170612ac-ir_research_en.pdf\" target=\"_blank\" rel=\"noopener\">https:\/\/www.jpcert.or.jp\/english\/pub\/sr\/20170612ac-ir_research_en.pdf<\/a><\/li>\n<\/ul>\n<p>DISCLAIMER: Set up of the tools and the testing environment might not be covered comprehensively within this lab. We will assume basic familiarity with Linux\/Windows command line and the ability of the reader to deploy the necessary frameworks. For that, it is recommended to follow the suggested references for the official tutorials and walkthrough published by the framework&#x27;s author.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Active Directory domain with at least one DC and workstation<\/li>\n<li>HELK (optional)<\/li>\n<li>Sysmon<\/li>\n<li>Wireshark<\/li>\n<li>Metasploit<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>1 \u2013 Basic Execution<\/h3>\n<p>Using PsExec is super-simple from an end-user perspective. In our scenario we\u2019re going to be executing it from a workstation to execute commands on our domain controller. Download the PsExec executable onto our workstation and open a Command Prompt.<\/p>\n<p>Execute a \u201crunas\u201d command to spawn a new prompt in the context of a user with admin control of the target host. The command should look something like this:<\/p>\n<pre><code class=\"language-bash\">runas \/user:UK\\Administrator cmd<\/code><\/pre>\n<p>We can verify we are in the correct user context by attempting to list the C drive of our target host using a simple \u201cdir\u201d command:<\/p>\n<pre><code class=\"language-bash\">dir \\\\dc2\\c$<\/code><\/pre>\n<p>If we\u2019ve successfully launched a session as our Administrator user, we should see the contents of the domain controller C drive listed.<\/p>\n<p>Now we can execute PsExec to obtain a semi-interactive shell on the target. Run the following command:<\/p>\n<pre><code class=\"language-bash\">PsExec.exe -accepteula \\\\dc2 cmd<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/psexec-execution.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>And that\u2019s it \u2013 simple! We can execute commands on the domain controller.<\/p>\n<h3>2 \u2013 Detection at Source<\/h3>\n<p>While seamless to the end user, there\u2019s a lot going on both on our workstation host and our target host. We\u2019ll dig into the workstation telemetry first.<\/p>\n<p>The first thing we can see here is our use of alternative credentials. In order to access our target host, we\u2019ve had to authenticate as the \u201cAdministrator\u201d user and, in doing so, we\u2019ve generated a 4648 in the Security log. In our scenario, immediately we\u2019ve identified a detection opportunity as our standard workstation user has suddenly escalated to Domain Administrator!<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/4648-source.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Of course, in a more realistic scenario it\u2019s not going to be as \u2018cut and dry\u2019 as that. Especially where PsExec is used as a legitimate admin tool. Furthermore, if we\u2019d authenticated to a host as our user with administrative privileges on the target host, rather than using runas to switch context, we wouldn\u2019t have generated this event. Let\u2019s keep going.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/psexec-source.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The next event, one which we\u2019ve seen many times throughout this series, is Sysmon EID 1 process creations. In the above screenshot, we can see PsExec.exe running on our workstation host.<\/p>\n<p>One simple tactic to evade detection logic, based on this event alone, is to simply change the name of the executable! Inspecting the subsequent process creation event, we get the following:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/renamed-psexec.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Note the changed \u201cImage\u201d entry with all the surrounding metadata of PsExec remaining, and the \u201cOriginalFileName\u201d entry maintaining the \u201cpsexec\u201d name. Focussing solely on this event, we have opportunities to alert upon attempted evasion. We\u2019ll look at more behavioural detection shortly using a Sigma rule from Samir Bousseaden as inspiration.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/eula-accepted.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>A final event on our source host is the setting of a registry key value to confirm we have accepted the EULA for the PsExec tool upon its first <a href=\"https:\/\/www.jpcert.or.jp\/english\/pub\/sr\/20170612ac-ir_research_en.pdf\" target=\"_blank\" rel=\"noopener\">use<\/a>. This registry key is located at the following path:<\/p>\n<pre><code class=\"language-bash\">HKEY_USERS\\[SID]\\Software\\Sysinternals\\PsExec\\EulaAccepted<\/code><\/pre>\n<p>Obviously, in the event that malicious use of PsExec is taking place on a host that has previously executed the tool, this offers us little from a detection perspective. Nevertheless, querying standard user workstations for the presence of this key could be a useful hunting exercise.<\/p>\n<p>It\u2019s worth mentioning here too that an attacker could well operate from a host upon which we don\u2019t have visibility, either by physically connecting their own device to the corporate network, or through proxying their traffic through an initially compromised host.<\/p>\n<h3>3 \u2013 Detection on Target<\/h3>\n<p>To actually achieve code execution on the target host, PsExec is installed on the target as a service. By default this is named \u2018PSEXESVC\u2019. From the endpoint logs, we observe a 7045 event ID for initial service installation, followed by a 7036 EID when the service is launched.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/psexec-target.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/psexec-target-evtviewer.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Notably, the PSEXESVC service is uploaded to the ADMIN$ share of the target (i.e. &quot;C:\\Windows&quot;), before it is installed as a service. Another opportunity to leverage our 5145 EID?<\/p>\n<p>As we mentioned earlier, let\u2019s take a look at Samir\u2019s Sigma <a href=\"https:\/\/github.com\/Neo23x0\/sigma\/blob\/32ecb816307e3639cf815851fac8341a60631f45\/rules\/windows\/builtin\/win_susp_psexec.yml\" target=\"_blank\" rel=\"noopener\">rule<\/a>. Now, this is specifically to identify behaviour similar to that of PsExec, but from a binary with a different name. The specific behaviour in question is the use of three named pipes, suffixed with stdin, stdout and stderr, that are used to interact with the PSEXESVC service to provide us with our semi-interactive shell.<\/p>\n<pre><code class=\"language-bash\">title: Suspicious PsExec Execution\nid: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82\ndescription: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one\nauthor: Samir Bousseaden\ndate: 2019\/04\/03\nreferences:\n- https:\/\/blog.menasec.net\/2019\/02\/threat-hunting-3-detecting-psexec.html\ntags:\n- attack.lateral_movement\n- attack.t1077\n- attack.t1021.002\nlogsource:\nproduct: windows\nservice: security\ndescription: &#x27;The advanced audit policy setting &quot;Object Access &gt; Audit Detailed File Share&quot; must be configured for Success\/Failure&#x27;\ndetection:\nselection1:\nEventID: 5145\nShareName: \\\\*\\IPC$\nRelativeTargetName:\n- &#x27;*-stdin&#x27;\n- &#x27;*-stdout&#x27;\n- &#x27;*-stderr&#x27;\nselection2:\nEventID: 5145\nShareName: \\\\*\\IPC$\nRelativeTargetName: &#x27;PSEXESVC*&#x27;\ncondition: selection1 and not selection2\nfalsepositives:\n- nothing observed so far\nlevel: high<\/code><\/pre>\n<p>We can see this named pipe interaction with our 5145 EIDs in the below screenshot. Note the \u201cShareRelativeTargetName\u201d field entries with the following naming convention:<\/p>\n<pre><code class=\"language-bash\">[service-name] \u2013 [source-host] \u2013 [PID] \u2013 [std-pipe]<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/pipes.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>2- Metasploit Variation<\/h3>\n<p>Variations on the PsExec tool are present in several offensive frameworks, including Metasploit and Cobalt Strike. These implementations follow a similar behavior of moving over a service executable, installing the service and executing commands, but many customisation options exist. Note in the screenshot of Metasploit below, the options for service name and description changes, as well as the location for uploading the service executable.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/metasploit-variation.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Using the windows\/smb\/psexec module, our 7045 event \u2013 generated by service installation \u2013 includes an ImagePath that now contains a launcher for a meterpreter implant.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/metasploit-service-creation.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Reading through the command above, we can see that PowerShell is being used to launch meterpreter. Aside from the suspiciously large service ImagePath, this execution opens up an additional telemetry source which we could create detections, PowerShell <a href=\"https:\/\/devblogs.microsoft.com\/powershell\/powershell-the-blue-team\/\" target=\"_blank\" rel=\"noopener\">Script Block Logging<\/a>.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/metasploit-4104.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>It is left as an exercise for the reader to explore the customisation options for the PsExec Metasploit module and find ways to evade detections based on default behaviours.<\/p>\n<h2>Conclusion<\/h2>\n<p>In this fourth lab of the Discovery and Lateral Movement workshop, we covered how an attacker could make use of the SysInternals tool, PsExec to move laterally between two hosts. We explored the detection options both on the originating host, and the target, and considered the limitations both with regards to the source host not being visible to us, and the many customisation options we have in frameworks like Metasploit. We utilised multiple events in our detections including service creation events, process creation events, and registry key changes.<\/p>\n<p>The main takeaways from this third lab are:<\/p>\n<ul>\n<li>An awareness of the customisation options available when executing PsExec.<\/li>\n<li>Importance of telemetry from service creation and registry key change events.<\/li>\n<\/ul>\n<p>In our final lab, we&#x27;re going to take a look at WMI for Lateral Movement &#8211; <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5\/\" target=\"_blank\" rel=\"noopener\">let&amp;#x27;s go<\/a>!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#4\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #4&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/darkgate-rises\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/reverse-engineering-a-lumma-infection\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/machine-learning-driven-malware-analysis\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>For this lab, we\u2019re going to be taking a look at the SysInternals tool, PsExec. Many will be familiar with its use amongst system administrators, and many threat actors have used it as a means of lateral movement!<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[314,332,345],"labs_content_type":[317],"class_list":["post-10555","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-endpoint-security","category-network-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Network Security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #4<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">For this lab, we\u2019re going to be taking a look at the SysInternals tool, PsExec. Many will be familiar with its use amongst system administrators, and many threat actors have used it as a means of lateral movement!<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item\/10555","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/media?parent=10555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/categories?post=10555"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/labs_content_type?post=10555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}