Operator Playbook Part 1 - The Lateral Movement Chokepoint

*Published: 4/17/2026* > **TL;DR:** Every ransomware operator needs to move from the beachhead to the domain controller, the file server, the backup infrastructure. The execution methods are finite. Six techniques account for nearly all observed lateral movement across Akira, Play, Qilin, Chaos, Embargo, Black Basta, LockBit, Fog, Hunters International, and RansomHub. Each one has a distinct detection signature. An operator who can't use any of them is stuck where they landed. This is Part 1 of the Operator Playbook series, which breaks down cross-RaaS behavioral chokepoints by kill chain phase. This part focuses exclusively on lateral movement because it has the tightest convergence of any phase. The operator has domain admin credentials. Now they need to use them. The question for defenders is: through which mechanism? --- ## Why Lateral Movement Is the Tightest Chokepoint Initial access has dozens of vectors (VPN, RDP, phishing, exploit, IAB, supply chain). Credential access has multiple targets (LSASS, registry hives, Veeam, browsers, Kerberos). Defense evasion has endless creativity (BYOVD, registry, PowerShell, Safe Mode, 6 redundant Defender kills in a single toolkit). But lateral movement on Windows comes down to a short list of execution primitives. The operator needs to run code on a remote host. Windows provides a finite number of mechanisms to do that, and each one leaves a fingerprint. The six roads covered here were observed across firsthand IR telemetry ([[Three Akira Intrusions Compared]], [[Two PlayCrypt Intrusions Compared]]), vendor IR reporting (Sophos Active Adversary 2025/2026, DFIR Report, Huntress 2025, eSentire TRU), and government advisories (CISA #StopRansomware: Akira AA24-109A, Play AA23-352A, Black Basta AA24-131A, RansomHub AA24-242a). --- ## Road 1: Impacket (WmiExec / SmbExec / AtExec) **Observed in:** Akira, Chaos, Embargo, Play, Qilin, Fog, LockBit, Black Basta, RansomHub (**9 groups**) Impacket is the dominant lateral movement framework across the ransomware ecosystem. The Sophos 2026 Active Adversary Report found it accounts for **36% of all tools** observed in IR cases, with an 83% year-over-year increase. Impacket is a Python-based collection of modules. The three relevant to lateral movement are: **WmiExec** uses WMI to spawn a process on the remote host, redirecting output to a temp file in the ADMIN$ share. The parent process on the target is `wmiprvse.exe`. **SmbExec** creates a temporary service on the remote host for command execution. Similar to PsExec but without deploying PSEXESVC.exe. The parent process on the target is `services.exe`. **AtExec** abuses the Windows Task Scheduler to create a task on the remote host. The parent process on the target is `svchost.exe` or `taskeng.exe`. ### The WmiExec Signature WmiExec's output redirection pattern is the single highest-fidelity lateral movement detection available: > [!example]- Impacket WmiExec output redirection > ``` > cmd.exe /Q /c <command> 1> \\127.0.0.1\ADMIN$\__<timestamp> 2>&1 > ``` The `\\127.0.0.1\ADMIN$\__<float>` output file is Impacket's invariant. It writes command output to a temp file in the ADMIN$ share and reads it back. The float timestamp (e.g., `__1684293517.4120836`) is generated at execution time. In the [[Three Akira Intrusions Compared|Akira intrusions]], this pattern generated 16 cases in a single operational queue. Every command the operator ran through WmiExec produced this artifact. The operator used it to: - Reset account passwords (`net user [svc_account] [password] /dom`) - Enable RDP via registry (`powershell reg add ... fDenyTSConnections`) - Enable firewall rules for Remote Desktop - Run discovery commands (`cd \`, `tasklist | findstr chrome.exe`) ### SmbExec and AtExec SmbExec creates a service with a random name on the remote host. The command output is redirected similarly to WmiExec but through the service execution path. The detection signature overlaps with PsExec (Event ID 7045) but the service binary path points to `%COMSPEC%` rather than a deployed executable. AtExec creates a scheduled task, executes it, and reads the output from a file in `C:\Windows\Temp\`. The detection surface is scheduled task creation from a non-interactive source combined with output written to a temp file. ### Detection Surface Summary | Module | Target-side parent | Artifact | |---|---|---| | WmiExec | `wmiprvse.exe` | Output to `\\127.0.0.1\ADMIN$\__<float>` | | SmbExec | `services.exe` | Service creation + `%COMSPEC%` execution | | AtExec | `svchost.exe` / `taskeng.exe` | Scheduled task creation + output to `C:\Windows\Temp\` | All three modules produce process creation events where the parent is a system process spawning `cmd.exe` or `powershell.exe` with output redirection containing `&1` in the command line. > **Detection Opportunity:** The `\\127.0.0.1\ADMIN$\__` pattern in the command line is invariant across every group using Impacket. Source-side, this is `cmd.exe /Q /c` with `\\` and `&1`. Target-side, this is `wmiprvse.exe`, `services.exe`, or `svchost.exe` spawning `cmd.exe`/`powershell.exe` with the same redirection pattern. > > See rule: [[edr-win-lat-impacket-wmiexec]] --- ## Road 2: PsExec and Variants **Observed in:** Play, Qilin, Black Basta, LockBit, TheGentlemen (**5 groups**) PsExec is a Sysinternals tool designed for legitimate remote administration. Operators abuse it because it's signed by Microsoft and doesn't require additional tooling beyond the binary itself. ### How It Works From the source host, PsExec: 1. Connects to the ADMIN$ share on the target 2. Copies `PSEXESVC.exe` to the target's `C:\Windows\` 3. Creates and starts a service with a random name pointing to the copied binary 4. Executes the specified command through the service 5. Returns output to the source 6. Cleans up the service (sometimes) The detection surface is Event ID 7045 (new service installed) on the target. The service name is randomly generated by default (12-character alphanumeric strings). ### Variants **PAExec** is the open-source alternative. Identical behavior, different binary name. CrackMapExec wraps its own variant called **csexec**. All three produce the same target-side artifact: Event ID 7045 with a new service pointing to a binary in `C:\Windows\`. ### Observed in Intrusions In the [[Two PlayCrypt Intrusions Compared|Play intrusion]], PsExec created 8+ services across 15+ hosts in rapid succession. Each service dropped a unique ransomware payload: > [!example]- PsExec service creation artifacts (Event ID 7045) > ``` > 7045 | R7KXNQ4VHJ2D | C:\Windows\R7KXNQ4VHJ2D.exe | DOMAIN\Administrator > 7045 | M3YPWT8FG6AE | C:\Windows\M3YPWT8FG6AE.exe | DOMAIN\Administrator > 7045 | J9BHZC5NLR1X | C:\Windows\J9BHZC5NLR1X.exe | DOMAIN\Administrator > 7045 | T6DVQA2WKS8P | C:\Windows\T6DVQA2WKS8P.exe | DOMAIN\Administrator > 7045 | U4FMLE7YXN3G | C:\Windows\U4FMLE7YXN3G.exe | DOMAIN\Administrator > ``` Each service binary was a unique per-host ransomware payload dropped to `C:\Users\Public\Music\` (Play's signature staging path). The services were created from a compromised domain admin account over SMB. The `-s` flag (run as SYSTEM) is common in ransomware PsExec usage because it provides the highest privilege context on the remote host: > [!example]- PsExec with SYSTEM flag > ``` > psexec.exe \\TARGET -s cmd.exe /c C:\Windows\Temp\payload.exe > psexec.exe \\TARGET -accepteula -u DOMAIN\admin -p <pass> -s -d cmd.exe /c <command> > ``` > **Detection Opportunity:** Event ID 7045 with random alphanumeric service names and binaries in `C:\Windows\` is PsExec's default pattern. Legitimate services don't use random 12-character names. PAExec and csexec produce the same artifact. > > See rule: [[edr-win-lat-remote-psexec]] --- ## Road 3: RDP **Observed in:** Akira, Chaos, Play, Qilin, Embargo, Fog, LockBit, Hunters Int'l (**8 groups**) RDP is the most abused legitimate tool across the ecosystem. The Sophos 2026 Active Adversary Report found 66% of IR cases involved internal RDP lateral movement. It's the hardest mechanism to detect because it's also the most common legitimate admin tool. ### The Detection Problem The signal isn't "RDP happened." It's "RDP happened from an unexpected source." This requires three things most organizations don't have properly instrumented: 1. **Asset inventory.** Which IPs have EDR agents? If you can't answer this, you can't distinguish managed from unmanaged RDP sources. 2. **Auth log correlation.** Type 10 (RemoteInteractive) logon events from IPs not in your asset inventory. This is a SIEM correlation, not an endpoint detection. 3. **Behavioral baselining.** Which accounts normally RDP, to which destinations, at what times? A service account RDP'ing to 30 hosts at 3am is anomalous regardless of source. ### Pre-Lateral Movement: Enabling RDP Operators frequently enable RDP on hosts where it's disabled. This produces a detectable artifact independent of the RDP session itself: > [!example]- RDP enablement commands (registry + firewall) > ``` > reg add HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f > powershell Enable-NetFirewallRule -DisplayGroup "Remote Desktop" > Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False > ``` This registry modification + firewall rule pattern appeared in both [[Two PlayCrypt Intrusions Compared|Play intrusions]], plus Akira and Embargo. In the Play KGAINC intrusion, the operator ran this exact sequence on every host they touched before pivoting. In the [[Three Akira Intrusions Compared|Akira Intrusion 3]], the operator went further and disabled Restricted Admin mode to enable pass-the-hash over RDP: > [!example]- Pass-the-hash RDP enablement > ``` > powershell -command New-ItemProperty > -Path "HKLM:\System\CurrentControlSet\Control\Lsa" > -Name "DisableRestrictedAdmin" -Value "0" > -PropertyType DWORD -Force > ``` Setting `DisableRestrictedAdmin` to `0` allows RDP authentication using only NTLM hashes. No plaintext password needed. ### SSH SSH lateral movement is less common but growing. Chaos used reverse SSH over port 443. ESXi-targeting operators (Akira, Qilin) use SSH to reach hypervisors from Windows hosts. In the Akira Intrusion 1, the operator used SCP to transfer a Linux ransomware binary to the ESXi host: > [!example]- SCP to ESXi (Akira) > ``` > scp payload root@[ESXi_IP]:/ > ssh -l root -s -- [ESXi_IP] sftp > ``` SSH or SCP from a Windows endpoint to an internal host is anomalous in most environments. > **Detection Opportunity:** Alert on fDenyTSConnections flipped to 0, Enable-NetFirewallRule targeting Remote Desktop, or DisableRestrictedAdmin registry writes outside of GPO-driven rollouts. > > See rule: [[edr-win-lat-rdp-enable]] --- ## Road 4: WinRM **Observed in:** SocGholish/RansomHub chains, Embargo (Evil-WinRM), Storm-0501, Black Basta (**4 groups**) WinRM (Windows Remote Management, ports 5985/5986) is the lateral movement mechanism operators reach for when Impacket and PsExec are detected or blocked. It's enabled by default on Windows Server, often enabled on workstations for administrative purposes, and produces a telemetry surface that most EDR stacks don't scrutinize as closely as PsExec or Impacket artifacts. ### How It Works The operator uses PowerShell Remoting (`Invoke-Command`, `Enter-PSSession`) or `winrs.exe` from the source host. On the target, `wsmprovhost.exe` (for PowerShell Remoting) or `winrshost.exe` (for winrs) spawns as the execution engine, hosting the remote session and executing commands. ### Observed in Intrusions In the SocGholish-to-RansomHub chain documented in [[Crafting Detections on Threat Actor Movement]], the operator authenticated via WinRM through an injected process (`RtkAudUService64.exe`) and issued commands through `wsmprovhost.exe`: > [!example]- WinRM child process patterns (from firsthand IR) > ``` > wsmprovhost.exe -> schtasks.exe /query /tn libffi /v /fo list > wsmprovhost.exe -> schtasks.exe /run /tn libffi > wsmprovhost.exe -> quser.exe /server [FQDN] > wsmprovhost.exe -> qwinsta.exe > wsmprovhost.exe -> tasklist.exe /v > wsmprovhost.exe -> netstat.exe /ano > wsmprovhost.exe -> systeminfo.exe > wsmprovhost.exe -> findstr.exe pythonw.exe > wsmprovhost.exe -> vssadmin.exe delete shadows > ``` The commands targeted task execution, session enumeration, process inventory, and credential access. Evil-WinRM (used by Embargo affiliates) operates through this same execution path. ### Why Operators Prefer It | Advantage over... | Why | |---|---| | PsExec | No service creation, no PSEXESVC.exe deployed to target | | Impacket | No ADMIN$ output redirection artifact, no Python dependency | | RDP | No interactive session recording, no GUI artifacts | The tradeoff: WinRM requires valid credentials and the target must have WinRM enabled (common in enterprise, not universal). If WinRM is disabled, the operator falls back to Impacket or PsExec. ### Detection Surface One parent process covers every operator using it. Any child process spawning from `wsmprovhost.exe` or `winrshost.exe` that isn't a known management tool is a candidate. > **Detection Opportunity:** `wsmprovhost.exe` or `winrshost.exe` spawning LOLbins (schtasks, quser, qwinsta, tasklist, netstat, systeminfo, vssadmin, certutil, reg, cmd, powershell) from an unverified code signature context. Baseline by legitimate admin source IPs. > > See rule: [[edr-win-lat-winrm-abuse]] --- ## Road 5: SMB Admin Share Staging **Observed in:** Akira, Play, Qilin, Black Basta, LockBit, Fog (**6 groups**) Before an operator can run PsExec, WMI, or a scheduled task on a remote host, they usually need to get the payload onto that host. SMB admin share staging is the copy mechanism. It's not a lateral movement method in isolation because it still requires a separate execution primitive, but the staging artifact is detectable on its own and often precedes the execution by seconds to minutes. ### The Pattern Mount `ADMIN

, `C

, or `IPC

on the target host using a stolen admin credential, then copy the tool or payload into a staging directory: > [!example]- SMB admin share staging commands > ``` > net use \\TARGET\C$ <password> /user:DOMAIN\<admin> > net use \\TARGET\ADMIN$ <password> /user:DOMAIN\<admin> > copy C:\ProgramData\tool.exe \\TARGET\C$\Windows\Temp\ > copy C:\PerfLogs\payload.dll \\TARGET\ADMIN$\payload.dll > xcopy C:\staging\ \\TARGET\C$\ProgramData\stage\ /s /y > ``` In the [[Three Akira Intrusions Compared|Akira Intrusion 1]], the operator staged exfiltration tools in `C:\drives\brother\` on the source host, then used Rclone (renamed `crowdstrike.exe`) to copy data to attacker-controlled cloud storage. The staging path itself was a custom directory created for the operation. In the Play KGAINC intrusion, the operator mounted admin shares to download WinRAR and WinSCP directly to file servers via Chrome, then staged archives for exfiltration. ### Why It Matters for Detection The `net use` with an explicit `/user:` flag containing a domain admin is high-fidelity. Normal workstations rarely mount admin shares on internal hosts with explicit credentials. File creations into `\\TARGET\ADMIN

or `\\TARGET\C$\Windows\Temp\` from a non-server parent are the network-side signal. Once staged, the operator pivots to execution through one of the other five roads: PsExec against the staged binary, `wmic /node:` invocation, scheduled task creation with `schtasks /s`, or service creation with `sc \\TARGET create`. > **Detection Opportunity:** `net use \\<host>\(C$|ADMIN$|IPC$)` with `/user:` from a workstation. Pair with file creation on the target share for the full staging signature. --- ## Road 6: Direct WMIC Remote Execution **Observed in:** Akira, Play, LockBit, Fog (**4 groups**) Distinct from Impacket's `wmiexec.py`. Direct WMIC abuse uses the native `wmic.exe` binary with the `/node:` flag to create processes on remote hosts via WMI. No Python dependency, no ADMIN$ output redirection. Older and more straightforward than Impacket, but still effective on most Windows environments. ### The Pattern > [!example]- Direct WMIC remote execution > ``` > wmic /node:TARGET /user:DOMAIN\admin /password:<pass> process call create "cmd.exe /c <command>" > wmic /node:TARGET /user:DOMAIN\admin /password:<pass> process call create "C:\Windows\Temp\payload.exe" > wmic /node:"TARGET1,TARGET2,TARGET3" process call create "C:\Windows\Temp\payload.exe" > ``` The `/node:` flag is the tell. Legitimate WMIC usage is almost entirely local. A WMIC process with `/node:` pointing at another host, especially with an explicit credential, is high-signal. ### PowerShell Variants Some operators use `Invoke-WmiMethod` or `Invoke-CimMethod` instead: > [!example]- PowerShell WMI remote execution > ``` > Invoke-WmiMethod -ComputerName TARGET -Class Win32_Process -Name Create -ArgumentList "payload.exe" > Invoke-CimMethod -ComputerName TARGET -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine='payload.exe'} > ``` ### Source vs. Target Detection This technique has both source-side and target-side detection surfaces: | Side | Artifact | |---|---| | **Source** | `wmic.exe` with `/node:` + `process call create` in command line | | **Target** | `wmiprvse.exe` spawning `cmd.exe` or direct process (overlaps with Impacket) | The source-side `wmic /node:` command line is the unique indicator. Target-side detection overlaps with Impacket's WmiExec because both use WMI as the execution mechanism. > **Detection Opportunity:** `wmic.exe` with `/node:` + `process call create` in the command line. Source-side, independent of target telemetry. PowerShell variants: `Invoke-WmiMethod -ComputerName` or `Invoke-CimMethod -ComputerName` with `Win32_Process` + `Create`. > > See rule: [[edr-win-lat-wmic-remote-node]] --- ## The Lateral Movement Chokepoint Six roads. All detectable. Each with a distinct process creation signature. | Road | Mechanism | Source-side signature | Target-side signature | |---|---|---|---| | **Impacket** | WMI / SMB / Task Scheduler | Python client (not always visible) | `wmiprvse.exe`/`services.exe`/`svchost.exe` → `cmd.exe` with `\\127.0.0.1\ADMIN$\__` | | **PsExec** | Remote service creation | `psexec.exe` command line | Event ID 7045 with random service name + binary in `C:\Windows\` | | **RDP** | Interactive session | `mstsc.exe` / auth event | Type 10 logon from unexpected source | | **WinRM** | PowerShell Remoting | `Invoke-Command` / `winrs.exe` | `wsmprovhost.exe`/`winrshost.exe` → LOLbin | | **SMB staging** | File copy via admin shares | `net use \\host\(C$\|ADMIN$)` with `/user:` | File creation in ADMIN$ / C$\Windows\Temp | | **Direct WMIC** | Native WMI | `wmic /node:` + `process call create` | `wmiprvse.exe` → `cmd.exe` (overlaps Impacket) | The operator needs at least one of these to work. If all six are monitored, every lateral movement attempt produces a detection artifact. The question is not whether you can detect it. The question is whether your pipeline escalates the alert before the operator reaches the next host. --- ## Detections | Rule ID | Description | |---|---| | [[edr-win-lat-impacket-wmiexec]] | Impacket WmiExec Lateral Movement | | [[edr-win-lat-remote-psexec]] | Remote PsExec Service Execution | | [[edr-win-lat-rdp-enable]] | RDP Enablement via Registry or Firewall Modification | | [[edr-win-lat-winrm-abuse]] | Remote Execution via WinRM Abuse | | [[edr-win-lat-wmic-remote-node]] | WMI Remote Process Execution via Native Binaries | --- ## Key Publications 1. [Sophos - Nowhere, Man: The 2026 Active Adversary Report](https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report) (2026) (Impacket 36% of tools, 83% YoY increase; RDP 66% of cases) 2. [Sophos - It Takes Two: The 2025 Active Adversary Report](https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/) (Apr 2025) 3. [CISA/FBI - #StopRansomware: Akira Ransomware (AA24-109A)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a) (Apr 2024, updated Nov 2025) 4. [CISA/FBI/ASD - #StopRansomware: Play Ransomware (AA23-352A)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a) (Dec 2023, updated Jun 2025) 5. [CISA/FBI - #StopRansomware: Black Basta (AA24-131A)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a) (May 2024) 6. [CISA/FBI - #StopRansomware: RansomHub (AA24-242a)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a) (Aug 2024) 7. [DFIR Report - Blurring the Lines: Three Ransomware Gangs](https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/) (Sep 2025) 8. [Huntress - 2025 Cyber Threat Report](https://www.huntress.com/blog/huntress-2025-cyber-threat-report-proliferating-rats-evolving-ransomware-and-other-findings) (2025) 9. [eSentire - From Access to Encryption: Hunters International](https://www.esentire.com/blog/from-access-to-encryption-dissecting-hunters-internationals-latest-ransomware-attack) (Feb 2025) 10. [BushidoToken - Ransomware Tool Matrix](https://github.com/BushidoUK/Ransomware-Tool-Matrix) (ongoing)