Lateral Movement: WMI, WinRM, PsExec, and How to See Them

Cybersecurity

Once an attacker has local admin on one Windows host, lateral movement is a menu of native protocols. Each one leaves a different artifact. Detection beats prevention here.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 19, 2025 · 8 min read

Lateral movement is what turns a single host compromise into Domain Admin. Every technique uses Windows-native protocols, which makes prevention hard and detection essential. We walk through the five techniques we use most on engagements, with the events that catch each one.

Methodology: the five techniques

Each technique requires admin rights on the target. The differences are in protocol, port, and noise level. Pentesters pick based on EDR posture: PsExec is the loudest and most signatured; WMI and WinRM blend into admin traffic; scheduled tasks are the quietest if you can stage a script.

• PsExec or psexec.py: SMB-based, drops PSEXESVC binary on the target, starts a service. Loud, well-detected.
• WMI: wmiexec.py or Invoke-WmiMethod. Uses DCOM (port 135 + dynamic). Spawns wmiprvse.exe as the parent of the executed process.
• PowerShell Remoting: Invoke-Command, Enter-PSSession over WinRM (5985/5986). Spawns wsmprovhost.exe.
• Scheduled Tasks: schtasks /create /s target /tn name /tr command. Runs at the scheduled time as SYSTEM or specified user.
• RDP: mstsc /v:target. Interactive, leaves obvious 4624 type 10 logons.

Detection by technique

PsExec: 7045 service installation event with PSEXESVC.exe, plus 4697 (service installed) and 5145 (named pipe access on \PSEXESVC). EDR detections are mature. WMI: 4624 logon type 3 followed by wmiprvse.exe spawning a process. Sysmon Event 1 with parent wmiprvse.exe and a non-standard child is the high-confidence signal. PowerShell Remoting: 4624 type 3 plus wsmprovhost.exe in the process tree, plus PowerShell module logging (4103) and script block logging (4104) on the target.

Scheduled tasks and RDP

Remote scheduled task creation logs 4698 with the source workstation. Look for tasks created from non-admin workstations targeting servers, especially with TaskRunOnlyWhen interactive logon false. RDP creates 4624 type 10. The detection signal is RDP from a workstation that does not normally RDP, or from a server to a workstation (admin going the wrong direction is often a pivot).

Network-side signals

SMB to non-file-server hosts on port 445 from a workstation is suspicious. WinRM (5985) between workstations should be zero in most environments. RPC over high ports between workstations, outside the helpdesk fleet, is suspicious. Network telemetry (Zeek, Defender for Identity) bridges the gap when endpoint logs are missing.

Remediation

1. Enable PowerShell module logging and script block logging on every Windows host. Forward 4103 and 4104 to your SIEM.
2. Enable Windows process auditing (4688) with command line. Without command lines, lateral movement detection is half-blind.
3. Restrict RDP to Privileged Access Workstations. Block 3389 between workstations at the host firewall.
4. Use Just Enough Administration (JEA) for PowerShell remoting. Define a constrained endpoint per admin role.
5. Lock down WMI namespaces with WMI ACLs. Most users do not need to read the root\cimv2 namespace remotely.
6. Deploy EDR with high-fidelity lateral movement detections (CrowdStrike, Defender for Endpoint, SentinelOne all ship them).
7. Run a credential-tiering model. Tier 0 admins log in from Tier 0 PAWs only. A tier-0 hash on a tier-2 workstation is your detection.
8. Periodically replay the five techniques from your red team or purple team and validate that each one fires a detection.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.