# SMB, RDP, WMI, PsExec & UAL
#### 1. Why These Matter in Forensics / Lateral Movement
* **SMB (Server Message Block)**\
Attackers often abuse SMB admin shares (like `ADMIN$`, `C$`) to move laterally, copy tools / malware, or execute remote payloads.
* **RDP (Remote Desktop Protocol)**\
Provides interactive remote access. Adversaries may establish RDP sessions to pivot or maintain persistence.
* **WMI (Windows Management Instrumentation)**\
Used for remote code execution, process creation, or persistence. Highly attractive because it's a legitimate admin tool.
* **PsExec**\
PsExec (Sysinternals) is commonly misused for lateral execution: upload a payload via SMB then remotely run it via PsExec.
* **UAL (User Access Logging)**\
On Windows Server, UAL logs which user accounts accessed which “server roles” (e.g., File Server) + source IP. Great for forensic tracking of SMB / pipe usage.
***
#### 2. Key Artifacts & Where to Look
| Technique | Relevant Artifacts | What to Investigate |
| ---------------- | ------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **SMB / PsExec** | - Windows Event Logs (Security)
- Admin Share Access Events
- UAL Database
| Look for Event IDs indicating share access, especially to `ADMIN$`/`IPC$` etc. Use UAL to tie SMB usage to particular users + source IP. Also watch for evidence of PsExec service (`PSEXESVC`), or service creation events for PsExec. |
| **RDP** | - Security Event Logs (4624)
- Logon Type analysis
| Monitor for Logon Type **10** (RemoteInteractive) in event 4624 — typical for RDP. Correlate with unusual source IPs or times to spot lateral access. |
| **WMI** | - Process creation logs (Event IDs)
- WMI provider processes (e.g. WmiPrvSE.exe)
| Look for unusual `wmiprvse.exe` process invocations, especially where it spawns “cmd.exe” or “powershell.exe” remotely. Use SIEM hunts to flag WMI-based lateral movement. |
| **UAL** | - ESE database files (.mdb) in C:\Windows\System32\LogFiles\Sum
- SUM databases
| Parse UAL with **SumECmd** (Eric Zimmerman) to extract CSV of access: user, role, source IP, first/last seen, count. Use this to map SMB or named-pipe (e.g. `\PIPE\svcctl`) usage to specific accounts. |
***
#### 3. Forensic / Detection Techniques
1. **PsExec / SMB Lateral Movement**
* Monitor for creation of `PSEXESVC.exe` service.
* Check for service creation event ID **7045** in System logs.
* Monitor file share accesses (Event ID **5140**, **5145**) for `ADMIN$` or `IPC$`.
2. **WMI-based Lateral Execution**
* Hunt for `wmic /node:` or PowerShell WMI methods via process creation events.
* Look for persistent WMI event subscriptions (`__EventFilter`, `__FilterToConsumerBinding`) that may indicate persistence.
3. **RDP Access**
* Use logparser or SIEM to query event logs for 4624 with Logon Type = 10.
* Identify whether RDP was enabled/disabled (registry changes, firewall rule modifications) around the time of suspicious activity.
4. **UAL-based Lateral Movement Mapping**
* Extract UAL data to see which account accessed which server role from what source IP.
* Baseline “normal” role access patterns. If a user appears in UAL for the first time or from an unusual source, it may indicate lateral movement.
* Combine UAL findings with other artifacts (SMB logon, process creation) to reconstruct attacker path.
***
#### 4. Investigation Workflow (Forensics / IR)
1. **Collection**
* On relevant Windows servers, gather:
* UAL `.mdb` files from `C:\Windows\System32\LogFiles\Sum`
* Security Event Logs (especially on machines used for admin tasks)
* Sysmon (if deployed) or process logs for WMI and PsExec behavior
2. **Parsing / Extraction**
* Use **SumECmd** to parse UAL database to CSV.
* Use SIEM or Log Parser to query event logs for SMB share accesses, process creations, and RDP logins.
* Extract WMI-related execution events (processes, subscriptions).
3. **Analysis**
* Map UAL entries by user and source IP → identify unusual SMB usage.
* Analyze process chains: PsExec or WMI parent → child processes, how they launched.
* Build a timeline: when access happened, from where, by which account, what was executed.
4. **Correlation**
* Correlate UAL data with event logs for process creation (e.g. PsExec), network share access, and RDP authentications.
* Link lateral movement trace: e.g., user X accessed SMB via UAL → process created remotely on target → payload executed.
5. **Reporting**
* Document suspicious or high-risk lateral movement activity: accounts used, source IPs, protocols, commands.
* Highlight potential “beachhead” machines and compromised accounts.
* Recommend mitigation: restrict admin shares, enforce logging, limit WMI / PsExec usage, monitor UAL.
***
#### 5. Challenges & Limitations
* **Legitimate Admin Activity**: Admins use SMB, PsExec, WMI, and RDP legitimately — differentiating malicious from normal is hard.
* **UAL Visibility**: Not all server roles may be logged, depending on configuration.
* **Database Corruption**: UAL ESE databases may be in use, requiring repair (`esentutl.exe`) before parsing.
* **Log Gaps**: If event logging (security, process, WMI) wasn’t enabled or retained, some activity may be missing.
* **Time Skew / Correlation**: Logs from different machines and artifacts may have different time sources, making correlation harder.