Home > SOC Analysis

Lateral Movement

Lateral movement detection focuses on identifying when an attacker, after compromising one system, attempts to move deeper into the network.
These behaviors are visible across Windows logs, Linux logs, network telemetry, EDR data, and authentication patterns.
This chapter explains lateral movement in full-scale SOC depth, including techniques, log artifacts, detection rules, and practical investigation workflows.

What Lateral Movement Means in SOC

Lateral movement begins after initial access.
The attacker uses stolen credentials, remote execution tools, or internal weaknesses to reach additional hosts.

Common goals:

  • Privilege escalation

  • Spreading malware

  • Reaching domain controllers

  • Planting persistence

  • Accessing sensitive data

  • Deploying ransomware at scale

Detecting lateral movement early prevents full-environment compromise.

Common Lateral Movement Techniques

Below are techniques attackers consistently use.

1. Remote Services

  • SMB

  • WinRM

  • RDP

  • SSH

  • PsExec

Windows Event IDs to watch:

  • 4624 (LogonType 3 + network logon)

  • 4624 (LogonType 10 for RDP)

  • 4648 (Explicit credential use)

Network indicators:

  • Large amounts of SMB traffic

  • Repeated authentication attempts across multiple hosts

2. PsExec & Impacket Tools

PsExec pattern:

psexesvc.exe creation  
cmd.exe /c ... launched remotely

Impacket tools (psexec.py, wmiexec.py, smbexec.py) show patterns such as:

  • Anonymous SMB pipes

  • Remote service creation

  • NTLM authentication patterns

EDR detects unusual remote command execution.

3. WMI-Based Movement

Attackers run commands via:

wmic.exe process call create <cmd>

Suspicious trees:

wmiprvse.exe → cmd.exe → powershell.exe

4. Remote Scheduled Tasks

Attackers create tasks on other systems:

schtasks /create /s <hostname> /ru <user> /tr "payload.exe"

Logs:

  • 4698 (Task created)

  • Network traffic to target host

5. RDP Lateral Movement

Indicators:

  • Multiple RDP connections in short time

  • RDP logons from non-admin hosts

  • Logon type 10

  • New RDP session creation outside business hours

6. Credential Dumping to Enable Lateral Movement

LSASS access usually precedes movement:

  • Mimikatz

  • procdump.exe targeting lsass

  • Invoke-Mimikatz scripts

Event IDs:

  • 4656 / 4663 (Handle access to lsass.exe)

EDR alerts:

  • Credential theft behavior

Log Artifacts That Reveal Lateral Movement

Windows Logs

  • 4624 LogonType 3 → network logon

  • 4624 LogonType 10 → RDP logon

  • 4648 → explicit credential use

  • 4672 → special privileges assigned

  • 5140 → network share accessed

  • 4698 → scheduled task creation

EDR Telemetry

  • Remote process creation

  • Unusual process trees involving remote tools

  • PsExec service deployment

  • PowerShell Remoting patterns

Network Logs

  • SMB traffic spikes

  • Unusual RDP traffic

  • Beaconing between internal hosts

  • Lateral scanning

  • DNS lookups for internal hostnames

Linux Logs

  • SSH login attempts

  • sudo failures and successes

  • Cron modifications

  • SSH key misuse

Practical Hunting Queries

Windows — RDP Logons

EventID=4624 LogonType=10

Windows — Remote Command Execution

process_name:psexec OR process_name:psexesvc

Windows — Explicit Credential Use

EventID=4648

PowerShell Remoting

powershell AND "Enter-PSSession"

SMB Movement

Network logs: dst_port=445 AND unusual src_host

SSH Lateral Movement (Linux)

sshd: Accepted password for * from <internal IP>

SIEM Detection Logic (Use Case Patterns)

Detection 1 — Multiple Lateral Logons in Short Time

Logic:

  • Same user

  • Multiple systems

  • LogonType=3 or 10

  • Within short timeframe

Outcome:

  • Compromised credentials likely

Detection 2 — PsExec-Like Behavior

Match:

process=psexec OR service=psexesvc

Detection 3 — LSASS Access → Lateral Movement

Rule:

Credential access (LSASS)  
followed by  
remote logons (4624 type 3)

Detection 4 — Suspicious Remote Task Creation

Rule:

EventID 4698  
AND  
"remote computer" field present

Detection 5 — Unauthorized SMB Enumeration

Indicators:

Repeating reconnection attempts to multiple hosts  
dst_port=445

EDR Behavior Indicators

  • Process injection inside services.exe or svchost.exe

  • Remote thread creation

  • Process creation coming from wmiprvse.exe

  • PsExec service creation

  • Interactive PowerShell executed remotely

  • Tools dropped into temp directories on multiple hosts

These behaviors nearly always signal a progressing intrusion.

Lateral Movement Investigation Workflow

Step 1 — Identify initial suspicious logon

Start with:

4624 LogonType 3 or 10

Step 2 — Link authentication to correlated process activity

Check:

  • PowerShell

  • PsExec

  • WMI

  • cmd.exe

Step 3 — Trace tools used

Find:

  • psexesvc.exe

  • wmiprvse.exe

  • schtasks.exe

  • powershell remoting

Step 4 — Check target systems

Determine spread direction:

  • Which hosts were accessed?

  • What accounts were used?

Step 5 — Map behavior to MITRE ATT&CK

  • T1021 (Remote Services)

  • T1047 (WMI)

  • T1053 (Scheduled tasks)

  • T1035 (Service execution)

  • T1087 (Account discovery)

Step 6 — Identify privilege escalation

Check for:

  • 4672

  • Admin group assignments

Step 7 — Contain

  • Disable compromised accounts

  • Isolate machines

  • Block remote connections

Practical Examples

Example 1 — PsExec Movement

4624 LogonType 3 → admin user  
psexesvc.exe appears  
cmd.exe /c powershell.exe

Indicates remote command execution.

Example 2 — RDP Lateral Movement

4624 LogonType 10 → unusual host  
User normally doesn't perform admin work

Indicates RDP misuse.

Example 3 — WMI-Based Movement

wmiprvse.exe  
  ↳ cmd.exe  
      ↳ powershell.exe

Classic for attackers avoiding PsExec.

Example 4 — Linux SSH Movement

Accepted password for root from internal host  
multiple hosts accessed in sequence

Credentials compromised.

Intel Dump

  • Lateral movement happens after initial access and aims to reach deeper systems.

  • Indicators include remote logons, WMI activity, PsExec usage, scheduled tasks, and SSH/RDP connections.

  • Detection relies on Windows logs (4624, 4648, 4672), network telemetry, and EDR process trees.

  • Common attacker tools: PsExec, wmic, winrm, schtasks, smbexec, ssh.

  • Hunting involves identifying unusual authentication patterns, remote process creation, and SMB/RDP spikes.

  • SOC response includes isolating hosts, disabling accounts, and tracking movement paths across systems.

HOME LEARN COMMUNITY DASHBOARD