Lateral Movement Analysis and Mapping
Map the full extent of attacker lateral movement across the environment. Identify all systems the attacker accessed, the credentials and techniques used, and build a comprehensive movement timeline.
Actions
- 1
Query for RDP lateral movement: filter for Event ID 4624 (LogonType 10) and 4778/4779 (RDP session reconnect/disconnect) across all domain controllers and target hosts during the investigation window.
- 2
Identify pass-the-hash/pass-the-ticket: look for 4624 LogonType 9 (NewCredentials) and 4648 (explicit credential logon). Cross-reference with EDR for suspicious LSASS access (Mimikatz, ProcDump, comsvcs.dll MiniDump).
- 3
Map SMB lateral movement via admin shares: `DeviceNetworkEvents | where RemotePort == 445 | where InitiatingProcessFileName in~ ("cmd.exe","powershell.exe","wmic.exe","psexec.exe","smbclient")` and correlate with service installation events (7045) on target hosts.
- 4
Analyze WMI-based lateral movement: check for Event ID 4648 + WmiPrvSE.exe process creation chains. Query: `DeviceProcessEvents | where InitiatingProcessFileName == "wmiprvse.exe" | where FileName in~ ("powershell.exe","cmd.exe","mshta.exe")`.
- 5
Build a lateral movement graph: for each hop, document source host, destination host, credential used, technique (RDP/SMB/WMI/PsExec/DCOM), timestamp, and purpose (recon, staging, data access). Use tools like Bloodhound for AD path visualization.
- 6
Detect PsExec lateral movement by correlating three artifacts on the target: Event ID 7045 (service install of PSEXESVC), Event ID 4624 LogonType 3 from the source IP, and Prefetch for PSEXESVC.EXE. On the source host, check for Prefetch of PSEXEC.EXE and named pipe connections in Sysmon EID 18.
- 7
Check for DCOM-based lateral movement: look for `mmc.exe -Embedding`, `excel.exe /automation`, or `dllhost.exe` spawning child processes like cmd.exe or powershell.exe via WMI. Correlate with Sysmon EID 1 (ProcessCreate) where ParentImage is a COM server host.
- 8
Hunt for evidence of PowerShell Remoting (WinRM): Event ID 4624 LogonType 3 + EID 4648 with WinRM source, combined with PowerShell Operational Log EID 4104 (ScriptBlock) on the destination and WSMan provider logs on the source. Check for `Enter-PSSession` or `Invoke-Command` in ScriptBlock text.
Queries
SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID in (4624, 4648) | where LogonType in (3, 9, 10) | where Account !endswith "$" | where IpAddress != "-" and IpAddress != "::1" and IpAddress != "127.0.0.1" | summarize LogonCount=count(), DistinctSources=dcount(IpAddress), Hosts=make_set(Computer) by Account, LogonType | where DistinctSources > 2 | order by DistinctSources desc
DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where FileName in~ ("psexec.exe","psexesvc.exe","wmic.exe","winrs.exe","mstsc.exe") or (FileName == "services.exe" and ProcessCommandLine has "psexesvc") or (InitiatingProcessFileName == "wmiprvse.exe" and FileName in~ ("powershell.exe","cmd.exe")) | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName | order by Timestamp asclet LateralHops = SecurityEvent | where EventID == 4624 and LogonType == 3 | where Account == "COMPROMISED_ACCOUNT" | project TimeGenerated, SourceHost=IpAddress, DestHost=Computer; let ServiceInstalls = SecurityEvent | where EventID == 7045 | project TimeGenerated, Computer, ServiceName, ServiceFileName; LateralHops | join kind=inner (ServiceInstalls) on $left.DestHost == $right.Computer | where TimeGenerated1 between (TimeGenerated .. datetime_add("minute", 5, TimeGenerated)) | project HopTime=TimeGenerated, SourceHost, DestHost, ServiceName, ServiceFileNameindex=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type IN (3,9,10) Account_Name!="*$" src_ip!="::1" src_ip!="-" src_ip!="127.0.0.1" earliest=T_START latest=T_END | stats count dc(src_ip) as distinct_sources values(ComputerName) as hosts by Account_Name, Logon_Type | search distinct_sources>2 | sort -distinct_sources
index=sysmon EventCode=1 (Image="*\\psexec.exe" OR Image="*\\psexesvc.exe" OR Image="*\\wmic.exe" OR Image="*\\winrs.exe" OR Image="*\\mstsc.exe") OR (ParentImage="*\\wmiprvse.exe" (Image="*\\powershell.exe" OR Image="*\\cmd.exe")) earliest=T_START latest=T_END | stats count by Computer, Image, CommandLine, User, ParentImage | sort -count
Notes
Attackers often use legitimate admin tools (PsExec, PowerShell Remoting, RDP) for lateral movement, making detection reliant on behavioral patterns rather than tool signatures. Focus on the sequence and timing of logons, not just the tool used.
Run BloodHound (SharpHound collector) from a clean system against the AD to map all possible attack paths. This reveals whether the attacker followed the shortest path to domain admin or deviated.
Key Event IDs for lateral movement: 4624 (Logon with LogonType 3=Network, 10=RDP), 4648 (Explicit Credentials), 4778/4779 (RDP Session Reconnect/Disconnect), 7045 (Service Install), 5140/5145 (Network Share Access), Sysmon EID 3 (Network Connection). Correlate source and destination timestamps to reconstruct hop-by-hop movement.