IR AnalystSwitch roles in the top navigation to see different perspectives.

Map the full extent of attacker lateral movement across the environment. Identify all systems the attacker accessed, the credentials and techniques used, and build a comprehensive movement timeline.

Actions

  1. 1.Query for RDP lateral movement: filter for Event ID 4624 (LogonType 10) and 4778/4779 (RDP session reconnect/disconnect) across all domain controllers and target hosts during the investigation window.
  2. 2.Identify pass-the-hash/pass-the-ticket: look for 4624 LogonType 9 (NewCredentials) and 4648 (explicit credential logon). Cross-reference with EDR for suspicious LSASS access (Mimikatz, ProcDump, comsvcs.dll MiniDump).
  3. 3.Map SMB lateral movement via admin shares: `DeviceNetworkEvents | where RemotePort == 445 | where InitiatingProcessFileName in~ ("cmd.exe","powershell.exe","wmic.exe","psexec.exe","smbclient")` and correlate with service installation events (7045) on target hosts.
  4. 4.Analyze WMI-based lateral movement: check for Event ID 4648 + WmiPrvSE.exe process creation chains. Query: `DeviceProcessEvents | where InitiatingProcessFileName == "wmiprvse.exe" | where FileName in~ ("powershell.exe","cmd.exe","mshta.exe")`.
  5. 5.Build a lateral movement graph: for each hop, document source host, destination host, credential used, technique (RDP/SMB/WMI/PsExec/DCOM), timestamp, and purpose (recon, staging, data access). Use tools like Bloodhound for AD path visualization.

Queries

SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID in (4624, 4648) | where LogonType in (3, 9, 10) | where Account !endswith "$" | where IpAddress != "-" and IpAddress != "::1" and IpAddress != "127.0.0.1" | summarize LogonCount=count(), DistinctSources=dcount(IpAddress), Hosts=make_set(Computer) by Account, LogonType | where DistinctSources > 2 | order by DistinctSources desc
DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where FileName in~ ("psexec.exe","psexesvc.exe","wmic.exe","winrs.exe","mstsc.exe") or (FileName == "services.exe" and ProcessCommandLine has "psexesvc") or (InitiatingProcessFileName == "wmiprvse.exe" and FileName in~ ("powershell.exe","cmd.exe")) | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName | order by Timestamp asc
let LateralHops = SecurityEvent | where EventID == 4624 and LogonType == 3 | where Account == "COMPROMISED_ACCOUNT" | project TimeGenerated, SourceHost=IpAddress, DestHost=Computer; let ServiceInstalls = SecurityEvent | where EventID == 7045 | project TimeGenerated, Computer, ServiceName, ServiceFileName; LateralHops | join kind=inner (ServiceInstalls) on $left.DestHost == $right.Computer | where TimeGenerated1 between (TimeGenerated .. datetime_add("minute", 5, TimeGenerated)) | project HopTime=TimeGenerated, SourceHost, DestHost, ServiceName, ServiceFileName

Notes

  • Attackers often use legitimate admin tools (PsExec, PowerShell Remoting, RDP) for lateral movement, making detection reliant on behavioral patterns rather than tool signatures. Focus on the sequence and timing of logons, not just the tool used.
  • Run BloodHound (SharpHound collector) from a clean system against the AD to map all possible attack paths. This reveals whether the attacker followed the shortest path to domain admin or deviated.

Common Blockers

No EDR Agent on Compromised Hosts

The affected endpoints do not have an EDR agent installed or the agent was disabled prior to the incident. Without endpoint telemetry you lose process trees, command-line logging, and real-time containment capability.

No PCAP or NetFlow Data Available

There is no packet capture, NetFlow, or network metadata available for the timeframe of interest. Without network data it is difficult to confirm data exfiltration volumes, C2 channel details, or lateral movement paths.

Unknown Scope of Credential Compromise

One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.

Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics

Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.

Attacker Using VPN/Tor -- Cannot Determine True Origin

The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.