# SMB, RDP, WMI, PsExec & UAL
#### 1. Why These Matter in Forensics / Lateral Movement
* **SMB (Server Message Block)**\
Attackers often abuse SMB admin shares (like `ADMIN$`, `C$`) to move laterally, copy tools / malware, or execute remote payloads.
* **RDP (Remote Desktop Protocol)**\
Provides interactive remote access. Adversaries may establish RDP sessions to pivot or maintain persistence.
* **WMI (Windows Management Instrumentation)**\
Used for remote code execution, process creation, or persistence. Highly attractive because it's a legitimate admin tool.
* **PsExec**\
PsExec (Sysinternals) is commonly misused for lateral execution: upload a payload via SMB then remotely run it via PsExec.
* **UAL (User Access Logging)**\
On Windows Server, UAL logs which user accounts accessed which “server roles” (e.g., File Server) + source IP. Great for forensic tracking of SMB / pipe usage.
***
#### 2. Key Artifacts & Where to Look
| Technique | Relevant Artifacts | What to Investigate |
| ---------------- | ------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **SMB / PsExec** | - Windows Event Logs (Security)
- Admin Share Access Events
- UAL Database
| Look for Event IDs indicating share access, especially to `ADMIN$`/`IPC$` etc. Use UAL to tie SMB usage to particular users + source IP. Also watch for evidence of PsExec service (`PSEXESVC`), or service creation events for PsExec. |
| **RDP** | - Security Event Logs (4624)
- Logon Type analysis
| Monitor for Logon Type **10** (RemoteInteractive) in event 4624 — typical for RDP. Correlate with unusual source IPs or times to spot lateral access. |
| **WMI** | - Process creation logs (Event IDs)
- WMI provider processes (e.g. WmiPrvSE.exe)
| Look for unusual `wmiprvse.exe` process invocations, especially where it spawns “cmd.exe” or “powershell.exe” remotely. Use SIEM hunts to flag WMI-based lateral movement. |
| **UAL** | - ESE database files (.mdb) in C:\Windows\System32\LogFiles\Sum
- SUM databases
| Parse UAL with **SumECmd** (Eric Zimmerman) to extract CSV of access: user, role, source IP, first/last seen, count. Use this to map SMB or named-pipe (e.g. `\PIPE\svcctl`) usage to specific accounts. |
***
#### 3. Forensic / Detection Techniques
1. **PsExec / SMB Lateral Movement**
* Monitor for creation of `PSEXESVC.exe` service.
* Check for service creation event ID **7045** in System logs.
* Monitor file share accesses (Event ID **5140**, **5145**) for `ADMIN$` or `IPC$`.
2. **WMI-based Lateral Execution**
* Hunt for `wmic /node:` or PowerShell WMI methods via process creation events.
* Look for persistent WMI event subscriptions (`__EventFilter`, `__FilterToConsumerBinding`) that may indicate persistence.
3. **RDP Access**
* Use logparser or SIEM to query event logs for 4624 with Logon Type = 10.
* Identify whether RDP was enabled/disabled (registry changes, firewall rule modifications) around the time of suspicious activity.
4. **UAL-based Lateral Movement Mapping**
* Extract UAL data to see which account accessed which server role from what source IP.
* Baseline “normal” role access patterns. If a user appears in UAL for the first time or from an unusual source, it may indicate lateral movement.
* Combine UAL findings with other artifacts (SMB logon, process creation) to reconstruct attacker path.
***
#### 4. Investigation Workflow (Forensics / IR)
1. **Collection**
* On relevant Windows servers, gather:
* UAL `.mdb` files from `C:\Windows\System32\LogFiles\Sum`
* Security Event Logs (especially on machines used for admin tasks)
* Sysmon (if deployed) or process logs for WMI and PsExec behavior
2. **Parsing / Extraction**
* Use **SumECmd** to parse UAL database to CSV.
* Use SIEM or Log Parser to query event logs for SMB share accesses, process creations, and RDP logins.
* Extract WMI-related execution events (processes, subscriptions).
3. **Analysis**
* Map UAL entries by user and source IP → identify unusual SMB usage.
* Analyze process chains: PsExec or WMI parent → child processes, how they launched.
* Build a timeline: when access happened, from where, by which account, what was executed.
4. **Correlation**
* Correlate UAL data with event logs for process creation (e.g. PsExec), network share access, and RDP authentications.
* Link lateral movement trace: e.g., user X accessed SMB via UAL → process created remotely on target → payload executed.
5. **Reporting**
* Document suspicious or high-risk lateral movement activity: accounts used, source IPs, protocols, commands.
* Highlight potential “beachhead” machines and compromised accounts.
* Recommend mitigation: restrict admin shares, enforce logging, limit WMI / PsExec usage, monitor UAL.
***
#### 5. Challenges & Limitations
* **Legitimate Admin Activity**: Admins use SMB, PsExec, WMI, and RDP legitimately — differentiating malicious from normal is hard.
* **UAL Visibility**: Not all server roles may be logged, depending on configuration.
* **Database Corruption**: UAL ESE databases may be in use, requiring repair (`esentutl.exe`) before parsing.
* **Log Gaps**: If event logging (security, process, WMI) wasn’t enabled or retained, some activity may be missing.
* **Time Skew / Correlation**: Logs from different machines and artifacts may have different time sources, making correlation harder.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://savitar.gitbook.io/mynotes/certifications-and-notes/blue-team/dfir/investigating-windows-endpoints/persistence-and-lateral-movement/smb-rdp-wmi-psexec-and-ual.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.