Lateral Movement Detection

Catching PsExec, WMI abuse, and SMB/RPC anomalies.

PsExec Detection

PsExec is a legitimate tool often abused for lateral movement.

- Service creation (PSEXESVC)
- Named pipe creation
- Admin$ share access