Lateral Movement Investigation Runbook

SOC & DFIR Operations Guide

Environment: Windows AD | Microsoft 365 | Defender XDR | Sentinel | Entra ID | Palo Alto Prisma Access

---

Overview & Scope

This runbook provides standardised procedures for investigating lateral movement attacks across the hybrid enterprise environment. Lateral movement is a critical phase in the attack lifecycle where adversaries move through a network in search of key assets and data. Detecting and disrupting lateral movement is essential to preventing major breaches.

Lateral Movement Definition

Lateral movement refers to techniques adversaries use to enter and control remote systems on a network after gaining initial access.

The primary goals are:

• Access additional systems to find valuable targets

• Maintain persistence across multiple systems

• Escalate privileges by compromising higher-value accounts

• Position for data exfiltration or objective execution

• Evade detection by blending with normal network traffic

Lateral Movement Categories

By Authentication Method

Category	Description	Risk Level
Credential-Based	Using stolen credentials to authenticate	High
Token-Based	Reusing authentication tokens/tickets	High
Session-Based	Hijacking existing sessions	High
Key-Based	Using stolen SSH keys or certificates	High
Trust-Based	Exploiting trust relationships	Critical

By Protocol/Technique

Technique	Protocol/Method	Common Tools
Remote Desktop	RDP (3389)	mstsc, SharpRDP
Windows Admin Shares	SMB (445)	PsExec, net use
Windows Remote Management	WinRM (5985/5986)	PowerShell Remoting, Evil-WinRM
WMI Execution	DCOM/WMI (135+)	wmic, Invoke-WmiMethod
SSH	SSH (22)	OpenSSH, PuTTY
Remote Services	Various	RPC, DCOM, MMC
Pass-the-Hash	NTLM	Mimikatz, Impacket
Pass-the-Ticket	Kerberos	Mimikatz, Rubeus
Overpass-the-Hash	Kerberos	Mimikatz, Rubeus
Pass-the-Certificate	Kerberos PKINIT	Certify, Rubeus
Distributed Component Object Model	DCOM	Various
Remote Registry	SMB	reg.exe
Scheduled Tasks	RPC/SMB	schtasks, at
Service Execution	RPC/SMB	sc.exe, PsExec

Common Lateral Movement Attack Chains

Chain 1: Credential Theft → Pass-the-Hash → SMB Lateral Movement

Initial Access → Credential Dumping (Mimikatz) → NTLM Hash Extracted →
Pass-the-Hash → SMB Connection to Target → PsExec/Service Execution →
SYSTEM Shell on Target

Chain 2: Kerberoasting → Service Account Compromise → Lateral Movement

Initial Access → Kerberoasting → Service Account Password Cracked →
Authenticate as Service Account → Access Service Account Resources →
Pivot to Additional Systems

Chain 3: RDP Hijacking → Session Takeover

Initial Access → Privilege Escalation → Identify Disconnected RDP Sessions →
RDP Session Hijacking → Access as Hijacked User → Access User's Resources

Chain 4: WinRM PowerShell Remoting

Initial Access → Credential Access → Enable-PSRemoting →
Enter-PSSession to Remote Host → Execute Commands →
Establish Persistence → Move to Next Target

---

Detection Sources & Data Mapping

Log Sources Matrix

Platform	Log Table	Lateral Movement Data
Defender for Endpoint	DeviceLogonEvents	All logon types, source/dest IPs
Defender for Endpoint	DeviceNetworkEvents	SMB, RDP, WinRM connections
Defender for Endpoint	DeviceProcessEvents	PsExec, WMIC, remote execution
Defender for Endpoint	DeviceEvents	Named pipes, remote service creation
Defender for Identity	IdentityLogonEvents	Authentication anomalies
Defender for Identity	IdentityDirectoryEvents	Pass-the-Hash, Pass-the-Ticket
On-Prem AD	SecurityEvent	4624, 4648, 4768, 4769, 4776
Sentinel	Syslog	Linux SSH, authentication
Prisma Access	PaloAltoPrismaAccess	East-west traffic, segmentation violations
Azure/Entra	SigninLogs	Cloud resource access

Critical Windows Event IDs

Network Logon Events

Event ID	Description	Lateral Movement Relevance
4624 (Type 3)	Network logon	Primary lateral movement indicator
4624 (Type 10)	Remote Interactive (RDP)	RDP-based lateral movement
4624 (Type 7)	Unlock	Session resume
4648	Explicit credential logon	RunAs, credential reuse
4625	Failed logon	Lateral movement attempts
4647	User initiated logoff	Session end tracking

Kerberos Events

Event ID	Description	Lateral Movement Relevance
4768	TGT requested	Initial authentication
4769	TGS requested	Service access, Kerberoasting
4770	TGT renewed	Extended session
4771	Kerberos pre-auth failed	Failed lateral movement

NTLM Events

Event ID	Description	Lateral Movement Relevance
4776	NTLM authentication	Pass-the-Hash detection
8004	NTLM authentication (DC)	NTLM relay, PTH

Process & Service Events

Event ID	Description	Lateral Movement Relevance
4688	Process creation	Remote command execution
4697	Service installed	PsExec, remote service
4698	Scheduled task created	Remote task execution
5140	Network share accessed	SMB lateral movement
5145	Share object access checked	Admin share access

Remote Access Events

Event ID	Description	Lateral Movement Relevance
1149	RDP authentication succeeded	RDP lateral movement
21	RDP session logon	RDP session start
24	RDP session disconnect	Session tracking
25	RDP session reconnect	Session hijacking
4778	Session reconnected	Session hijacking
4779	Session disconnected	Session tracking

Logon Type Reference

Logon Type	Name	Description	Lateral Movement Risk
2	Interactive	Local console logon	Low (requires physical)
3	Network	SMB, WinRM, remote access	High
4	Batch	Scheduled task execution	Medium
5	Service	Service account logon	Medium
7	Unlock	Workstation unlock	Low
8	NetworkCleartext	IIS Basic Auth	Medium
9	NewCredentials	RunAs /netonly	High
10	RemoteInteractive	RDP	High
11	CachedInteractive	Cached credentials	Medium

---

Investigation Workflows

General Lateral Movement Investigation

Objective: Identify, scope, and contain lateral movement activity across the environment.

Step 1: Initial Alert Triage

1. Review alert source and detection logic

2. Identify source and destination systems

3. Determine account(s) involved

4. Check timestamp and establish baseline timeline

5. Assess if source system was already compromised

Step 2: Authentication Pattern Analysis

1. Query all logon events for the account (7-30 days)

2. Establish normal access patterns (systems, times, methods)

3. Identify anomalous destination systems

4. Check for unusual logon types

5. Look for authentication method changes (Kerberos vs. NTLM)

Step 3: Source System Investigation

1. Determine how attacker gained access to source

2. Check for credential theft indicators

3. Review process execution history

4. Identify lateral movement tools/techniques used

5. Check for persistence mechanisms

Step 4: Destination System Investigation

1. Document all activity on destination system

2. Check for secondary lateral movement (pivot)

3. Review data access and exfiltration indicators

4. Identify any persistence established

5. Check for privilege escalation attempts

Step 5: Scope Determination

1. Query for same account across all systems

2. Search for same source IP across all authentications

3. Look for similar techniques from other accounts

4. Map all compromised systems

5. Identify potential data exposure

Step 6: Timeline Construction

1. Create chronological timeline of all events

2. Map initial access → lateral movement chain

3. Document each hop with timestamps

4. Identify dwell time per system

5. Correlate with known threat actor TTPs

---

RDP Lateral Movement Investigation

Objective: Investigate Remote Desktop-based lateral movement.

Detection Indicators

• Logon Type 10 from unusual sources

• RDP connections during non-business hours

• RDP from servers to workstations (unusual direction)

• RDP session hijacking (tscon.exe usage)

• Multiple failed RDP attempts followed by success

• RDP connections from recently compromised systems

Investigation Steps

1. Identify RDP Sessions

   • Query DeviceLogonEvents for LogonType "RemoteInteractive"

   • Review Event ID 1149, 21, 24, 25 on target

   • Check TerminalServices-LocalSessionManager logs

2. Analyse Source System

   • Verify source system is authorised for RDP

   • Check if source system shows compromise indicators

   • Review outbound RDP connections from source

   • Check for RDP-related tools (mstsc spawning from unusual parents)

3. Session Hijacking Detection

   • Search for tscon.exe execution

   • Check for query session / quser commands

   • Look for session ID manipulation

   • Review SYSTEM-level RDP access

4. Map RDP Chain

   • Track all RDP hops from initial system

   • Document credentials used at each hop

   • Identify final destination/objective

   • Check for data accessed via RDP sessions

---

SMB/Admin Share Lateral Movement Investigation

Objective: Investigate lateral movement via Windows Admin Shares and SMB.

Detection Indicators

• Access to C$, ADMIN$, IPC$ shares from non-admin workstations

• SMB connections to unusual systems

• PsExec service installation (PSEXESVC)

• High volume of SMB connections from single source

• SMB authentication failures followed by success

• Use of explicit credentials for SMB access

Investigation Steps

1. Identify SMB Activity

   • Query Event ID 5140, 5145 for share access

   • Review DeviceNetworkEvents for port 445 connections

   • Check for admin share ($) access patterns

   • Identify source IPs and accounts

2. PsExec/Remote Service Detection

   • Search for PSEXESVC service creation

   • Look for services with unusual names

   • Check for service binary paths to ADMIN$

   • Review service account usage

3. File Transfer Analysis

   • Check for executable files copied to shares

   • Review files dropped in ADMIN$, C$

   • Look for staging directories

   • Identify malicious payloads transferred

4. Credential Analysis

   • Determine if PTH was used (NTLM only)

   • Check for explicit credential usage (4648)

   • Review account privilege level

   • Identify source of compromised credentials

---

WinRM/PowerShell Remoting Investigation

Objective: Investigate lateral movement via Windows Remote Management.

Detection Indicators

• WinRM connections (port 5985/5986) from unusual sources

• PowerShell remoting from non-admin systems

• Enter-PSSession / Invoke-Command usage

• WinRM service enabled on unusual systems

• Encoded PowerShell commands in remote sessions

• Evil-WinRM or similar tool signatures

Investigation Steps

1. Identify WinRM Sessions

   • Query DeviceNetworkEvents for ports 5985/5986

   • Review Windows Remote Management operational logs

   • Check for WSMan connections

   • Identify source and destination pairs

2. PowerShell Analysis

   • Review PowerShell script block logging

   • Check for encoded commands in remote sessions

   • Analyse Invoke-Command patterns

   • Look for New-PSSession creations

3. Credential Usage

   • Check if CredSSP was used (credential delegation)

   • Review explicit credential specifications

   • Look for Enter-PSSession with -Credential

   • Check for PSCredential object creation

4. Command Execution

   • Review commands executed via remoting

   • Check for reconnaissance commands

   • Look for credential access commands

   • Identify persistence establishment

---

WMI Lateral Movement Investigation

Objective: Investigate lateral movement via Windows Management Instrumentation.

Detection Indicators

• WMIC process creation events

• WMI remote connections (DCOM)

• WmiPrvSE.exe spawning unusual processes

• Process creation via Win32_Process

• WMI subscriptions created remotely

• Event ID 5857, 5858, 5859, 5861 (WMI Activity)

Investigation Steps

1. Identify WMI Activity

   • Query for WMIC.exe process execution

   • Review WmiPrvSE.exe child processes

   • Check WMI-Activity operational logs

   • Look for Win32_Process Create method calls

2. Remote WMI Detection

   • Check for /node: parameter in WMIC

   • Review DCOM connections (port 135+)

   • Look for WMI authentication events

   • Identify source systems for remote WMI

3. Command Execution Analysis

   • Review process command lines

   • Check for encoded commands

   • Look for script downloads/execution

   • Identify persistence attempts

---

Pass-the-Hash/Ticket Investigation

Objective: Investigate credential reuse attacks for lateral movement.

Pass-the-Hash Indicators

• NTLM authentication where Kerberos expected

• Network logons without corresponding interactive logon

• Event 4776 success without 4624 Type 2

• NTLM from systems with Kerberos capability

• Multiple hosts accessed with same NTLM hash

• Impacket/Mimikatz tool indicators

Pass-the-Ticket Indicators

• Kerberos tickets used from unexpected hosts

• TGS without corresponding TGT request

• Ticket encryption anomalies

• Forwardable tickets from non-domain systems

• Service access without prior TGT

Investigation Steps

1. Identify Authentication Anomalies

   • Correlate NTLM vs Kerberos usage

   • Check for missing authentication chain events

   • Review MDI alerts for PTH/PTT

   • Analyse authentication source vs. account home

2. Timeline Reconstruction

   • Map all authentications for affected account

   • Identify patient zero for credential theft

   • Track all systems accessed post-compromise

   • Correlate with credential dumping activity

3. Ticket Analysis (PTT)

   • Review Kerberos ticket properties

   • Check for anomalous encryption types

   • Look for ticket lifetime anomalies

   • Identify service tickets without TGT

---

KQL Query Cheat Sheet

Network Logon Analysis

All Network Logons (Type 3)

DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType == "Network"
| where ActionType == "LogonSuccess"
| summarize 
    LogonCount = count(),
    UniqueTargets = dcount(DeviceName),
    Targets = make_set(DeviceName, 20),
    UniqueAccounts = dcount(AccountName)
    by RemoteIP, bin(Timestamp, 1h)
| where UniqueTargets > 5
| sort by UniqueTargets desc

Unusual Network Logon Sources

let baseline = DeviceLogonEvents
| where Timestamp between (ago(30d) .. ago(1d))
| where LogonType == "Network"
| summarize by AccountName, RemoteIP;
DeviceLogonEvents
| where Timestamp > ago(1d)
| where LogonType == "Network"
| where ActionType == "LogonSuccess"
| join kind=leftanti baseline on AccountName, RemoteIP
| summarize 
    FirstSeen = min(Timestamp),
    LogonCount = count(),
    TargetDevices = make_set(DeviceName, 10)
    by AccountName, RemoteIP
| sort by LogonCount desc

Lateral Movement Velocity Detection

DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType in ("Network", "RemoteInteractive")
| where ActionType == "LogonSuccess"
| summarize 
    TargetCount = dcount(DeviceName),
    Targets = make_set(DeviceName, 50),
    MinTime = min(Timestamp),
    MaxTime = max(Timestamp)
    by AccountName, bin(Timestamp, 1h)
| extend VelocityPerHour = TargetCount
| where VelocityPerHour > 5
| sort by VelocityPerHour desc

---

RDP Lateral Movement

RDP Connections Analysis

DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType == "RemoteInteractive"
| where ActionType == "LogonSuccess"
| summarize 
    RDPCount = count(),
    UniqueTargets = dcount(DeviceName),
    Targets = make_set(DeviceName, 10)
    by AccountName, RemoteIP
| sort by UniqueTargets desc

RDP from Server to Workstation (Unusual Direction)

let servers = DeviceInfo 
| where DeviceType == "Server" 
| summarize by DeviceName;
let workstations = DeviceInfo 
| where DeviceType == "Workstation" 
| summarize by DeviceName;
DeviceLogonEvents
| where Timestamp > ago(7d)
| where LogonType == "RemoteInteractive"
| where ActionType == "LogonSuccess"
| join kind=inner servers on $left.RemoteDeviceName == $right.DeviceName
| join kind=inner workstations on $left.DeviceName == $right.DeviceName
| project Timestamp, AccountName, SourceServer = RemoteDeviceName, TargetWorkstation = DeviceName
| sort by Timestamp desc

RDP Session Hijacking Detection

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "tscon.exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName
| sort by Timestamp desc

RDP Brute Force Followed by Success

let rdpFailures = DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType == "RemoteInteractive"
| where ActionType == "LogonFailed"
| summarize FailCount = count() by RemoteIP, TargetDevice = DeviceName, bin(Timestamp, 1h);
let rdpSuccess = DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType == "RemoteInteractive"
| where ActionType == "LogonSuccess"
| project SuccessTime = Timestamp, RemoteIP, TargetDevice = DeviceName, AccountName;
rdpFailures
| join kind=inner rdpSuccess on RemoteIP, TargetDevice
| where FailCount > 5
| project RemoteIP, TargetDevice, FailCount, SuccessTime, AccountName
| sort by FailCount desc

---

SMB/Admin Share Activity

Admin Share Access Detection

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| where RemoteUrl has_any ("C$", "ADMIN$", "IPC$")
| summarize 
    ConnectionCount = count(),
    UniqueTargets = dcount(RemoteIP),
    Targets = make_set(RemoteIP, 10)
    by DeviceName, InitiatingProcessFileName, RemoteUrl
| sort by UniqueTargets desc

PsExec Service Detection

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "ServiceInstalled"
| extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName)
| extend ServicePath = tostring(parse_json(AdditionalFields).ServiceStartType)
| where ServiceName matches regex @"(?i)(psexe|paexe|csexe|smbexec|remcom)"
    or ServiceName matches regex @"^[a-zA-Z]{8}$"  // Random 8-char service names
| project Timestamp, DeviceName, ServiceName, InitiatingProcessFileName, InitiatingProcessAccountName

SMB Lateral Movement Pattern

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| summarize 
    SMBConnections = count(),
    UniqueTargets = dcount(RemoteIP),
    Targets = make_set(RemoteIP, 50)
    by DeviceName, bin(Timestamp, 15m)
| where UniqueTargets > 10
| sort by UniqueTargets desc

File Copy to Admin Shares

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath matches regex @"\\\\[^\\]+\\(C\$|ADMIN\$)"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| sort by Timestamp desc

---

WinRM/PowerShell Remoting

WinRM Connections

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (5985, 5986)
| where ActionType == "ConnectionSuccess"
| summarize 
    Connections = count(),
    UniqueTargets = dcount(RemoteIP),
    Targets = make_set(RemoteIP, 20)
    by DeviceName, InitiatingProcessFileName
| where UniqueTargets > 3
| sort by UniqueTargets desc

PowerShell Remoting Commands

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any (
    "Enter-PSSession",
    "Invoke-Command",
    "New-PSSession",
    "-ComputerName",
    "Enable-PSRemoting",
    "-Session")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| sort by Timestamp desc

Remote PowerShell Session Creation

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "PowerShellCommand"
| where AdditionalFields has_any ("New-PSSession", "Enter-PSSession", "Invoke-Command")
| extend Command = tostring(parse_json(AdditionalFields).Command)
| project Timestamp, DeviceName, AccountName, Command

---

WMI Lateral Movement

Remote WMI Execution

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "/node:"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| sort by Timestamp desc

WMI Process Creation

DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName !in~ ("wmiprvse.exe", "wbem", "mofcomp.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| sort by Timestamp desc

DCOM Lateral Movement

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 135 or RemotePort between (49152 .. 65535)
| where InitiatingProcessFileName in~ ("mmc.exe", "excel.exe", "outlook.exe", "powershell.exe")
| summarize 
    Connections = count(),
    UniqueTargets = dcount(RemoteIP)
    by DeviceName, InitiatingProcessFileName, RemotePort
| where UniqueTargets > 3

---

Pass-the-Hash / Pass-the-Ticket

NTLM Authentication Anomalies

// NTLM where Kerberos expected
IdentityLogonEvents
| where Timestamp > ago(24h)
| where Protocol == "NTLM"
| where LogonType == "Network"
| where TargetDeviceName !has "exchange" and TargetDeviceName !has "sql"  // Exclude known NTLM users
| summarize 
    NTLMCount = count(),
    UniqueTargets = dcount(TargetDeviceName),
    Targets = make_set(TargetDeviceName, 20)
    by AccountUpn, DeviceName
| where UniqueTargets > 3
| sort by UniqueTargets desc

Pass-the-Hash Detection (MDI)

IdentityLogonEvents
| where Timestamp > ago(7d)
| where Application == "Active Directory"
| where Protocol == "NTLM"
| where LogonType == "Network"
| join kind=leftanti (
    IdentityLogonEvents
    | where Timestamp > ago(7d)
    | where LogonType == "Interactive"
    | project AccountUpn, InteractiveDevice = DeviceName, InteractiveTime = Timestamp
) on AccountUpn
| summarize 
    PotentialPTH = count(),
    Targets = make_set(TargetDeviceName, 20),
    SourceDevices = make_set(DeviceName, 10)
    by AccountUpn
| where PotentialPTH > 5

Kerberos Ticket Anomalies

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4769
| where TicketEncryptionType in ("0x17", "0x18")  // RC4 or AES
| summarize 
    TicketRequests = count(),
    UniqueServices = dcount(ServiceName),
    EncryptionTypes = make_set(TicketEncryptionType)
    by TargetUserName, IpAddress
| where TicketRequests > 20 or UniqueServices > 10

---

Scheduled Task & Service Lateral Movement

Remote Scheduled Task Creation

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create" and ProcessCommandLine has_any ("/s ", "/S ")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| sort by Timestamp desc

Remote Service Creation

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sc.exe"
| where ProcessCommandLine has_any ("create", "config", "start") 
    and ProcessCommandLine matches regex @"\\\\[^\\]+\\"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| sort by Timestamp desc

---

Cross-Platform Queries

Unified Lateral Movement Detection

let networkLogons = DeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType in ("Network", "RemoteInteractive")
| where ActionType == "LogonSuccess"
| project Timestamp, AccountName, SourceDevice = RemoteDeviceName, TargetDevice = DeviceName, Method = "Logon";
let smbConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| project Timestamp, AccountName = InitiatingProcessAccountName, SourceDevice = DeviceName, TargetDevice = RemoteIP, Method = "SMB";
let winrmConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (5985, 5986)
| where ActionType == "ConnectionSuccess"
| project Timestamp, AccountName = InitiatingProcessAccountName, SourceDevice = DeviceName, TargetDevice = RemoteIP, Method = "WinRM";
union networkLogons, smbConnections, winrmConnections
| summarize 
    Connections = count(),
    Methods = make_set(Method),
    UniqueTargets = dcount(TargetDevice),
    Targets = make_set(TargetDevice, 20)
    by AccountName, SourceDevice, bin(Timestamp, 1h)
| where UniqueTargets > 5
| sort by UniqueTargets desc

Lateral Movement Chain Reconstruction

let timeframe = 24h;
let seedDevice = "COMPROMISED-WKS01";  // Starting point
DeviceLogonEvents
| where Timestamp > ago(timeframe)
| where LogonType in ("Network", "RemoteInteractive")
| where ActionType == "LogonSuccess"
| where RemoteDeviceName == seedDevice or DeviceName == seedDevice
| project Timestamp, AccountName, Source = RemoteDeviceName, Target = DeviceName, LogonType
| sort by Timestamp asc

---

Prisma Access Network Detection

East-West Traffic Anomalies

PaloAltoPrismaAccess
| where TimeGenerated > ago(24h)
| where DestinationZone != "internet" and SourceZone != "internet"
| where Action == "allow"
| summarize 
    Connections = count(),
    BytesTotal = sum(BytesTotal),
    UniqueDestinations = dcount(DestinationIP)
    by SourceIP, SourceUser
| where UniqueDestinations > 20
| sort by UniqueDestinations desc

Unusual Internal RDP Traffic

PaloAltoPrismaAccess
| where TimeGenerated > ago(24h)
| where DestinationPort == 3389
| where Action == "allow"
| summarize 
    RDPConnections = count(),
    UniqueDestinations = dcount(DestinationIP),
    Destinations = make_set(DestinationIP, 20)
    by SourceIP, SourceUser
| where UniqueDestinations > 5
| sort by UniqueDestinations desc

---

Response Actions & Remediation

Immediate Containment Actions

Scenario	Action	Method
Active Lateral Movement	Isolate source and destination systems	MDE Device Isolation
Compromised Account	Disable account, revoke sessions	AD + Entra ID
Credential Theft Confirmed	Reset all potentially compromised credentials	AD + Entra ID
RDP-based Movement	Block RDP at network level	Prisma Access / Firewall
SMB-based Movement	Block SMB between segments	Prisma Access / Firewall
PTH/PTT Detected	Reset affected account passwords	AD
Multiple Systems Compromised	Network segment isolation	Firewall / VLAN changes

Containment Commands

MDE Device Isolation

# Via Microsoft Graph API
$deviceId = "device-id-here"
$isolationType = "Full"  # or "Selective"

$body = @{
    Comment = "Lateral movement investigation - IR ticket #12345"
    IsolationType = $isolationType
} | ConvertTo-Json

Invoke-MgGraphRequest -Method POST `
    -Uri "https://api.securitycenter.microsoft.com/api/machines/$deviceId/isolate" `
    -Body $body

Block Lateral Movement at Network Level

# Prisma Access - Create emergency security rule
Rule Name: EMERGENCY-Block-Lateral-Movement
Source Zone: trust
Destination Zone: trust  
Source Address: [compromised-subnet]
Destination Address: any
Application: any
Service: application-default
Action: Deny
Log: Yes

Disable Compromised Account

# On-premises AD
Disable-ADAccount -Identity "compromised_user"

# Entra ID
Update-MgUser -UserId "user@domain.com" -AccountEnabled:$false

# Revoke all sessions
Revoke-MgUserSignInSession -UserId "user@domain.com"

Post-Incident Remediation

For Each Compromised System

1. Evidence Collection

   • Memory dump if possible

   • Event logs export

   • File system timeline

   • Network connection logs

2. Malware/Tool Removal

   • Remove attacker tools

   • Delete persistence mechanisms

   • Clear credential caches

   • Remove unauthorised accounts

3. Credential Reset

   • Reset local admin passwords

   • Reset cached domain credentials

   • Consider LAPS redeployment

4. System Hardening

   • Apply missing patches

   • Enable advanced audit logging

   • Implement host firewall rules

   • Deploy/verify EDR agent

Network-Level Hardening

Action	Description	Implementation
Segment Networks	Limit lateral movement paths	VLAN / Firewall rules
Restrict Admin Shares	Disable C$, ADMIN$ where not needed	GPO / Registry
Limit RDP Access	Restrict RDP to jump servers	Firewall / NLA
Disable WinRM	Disable where not required	GPO
Implement LAPS	Randomize local admin passwords	LAPS deployment
Deploy PAWs	Privileged Access Workstations	Tiered admin model
Block NTLM	Enforce Kerberos authentication	GPO / Network policies

---

Quick Reference Cards

Lateral Movement Tool Signatures

Tool	Process Indicators	Network Indicators
PsExec	PSEXESVC service, psexec.exe	SMB (445) to ADMIN$
Impacket	Random service names, atexec.py	SMB (445), WMI (135)
CrackMapExec	Multiple SMB connections	SMB (445) spray pattern
Evil-WinRM	winrm connections, ruby signatures	WinRM (5985/5986)
Mimikatz	sekurlsa, lsadump commands	PTH/PTT artifacts
Cobalt Strike	Named pipes, beacons	HTTP/HTTPS beaconing
WMIExec	wmiprvse.exe children	DCOM (135+)
SharpRDP	mstsc activity, unusual parents	RDP (3389)
Rubeus	Kerberos ticket manipulation	4768, 4769 anomalies

Lateral Movement Detection Checklist

Check	Data Source	Query Focus
Network logons to multiple systems	DeviceLogonEvents	Type 3, unique targets
RDP connections from servers	DeviceLogonEvents	Type 10, server sources
Admin share access	DeviceNetworkEvents	Port 445, C$, ADMIN$
Service installation	DeviceEvents	ServiceInstalled
Scheduled task creation	DeviceEvents	ScheduledTaskCreated
WinRM connections	DeviceNetworkEvents	Port 5985/5986
WMI remote execution	DeviceProcessEvents	wmic /node
NTLM without Kerberos	IdentityLogonEvents	Protocol analysis
Pass-the-Hash	MDI alerts	PTH detection
Pass-the-Ticket	MDI alerts	PTT detection

Common Lateral Movement Ports

Port	Protocol	Usage	Risk
22	SSH	Linux remote access	High
135	RPC/DCOM	WMI, DCOM	High
139	NetBIOS	Legacy file sharing	Medium
445	SMB	File sharing, PsExec	Critical
3389	RDP	Remote Desktop	High
5985	WinRM HTTP	PowerShell Remoting	High
5986	WinRM HTTPS	Secure PS Remoting	High
49152-65535	Dynamic RPC	DCOM, WMI callbacks	High

---

Escalation Matrix

Severity Classification

Severity	Criteria	Response Time
🔴 Critical	Domain controller accessed, mass lateral movement (>10 systems), privileged account compromise	Immediate - 15 min
🟠 High	Multiple systems compromised (3-10), active C2 with lateral movement, data server access	30 min - 1 hour
🟡 Medium	Single system pivot, limited lateral movement, contained to workstation tier	4 hours
🟢 Low	Failed lateral movement attempts, reconnaissance only	Next business day

Escalation Triggers

Condition	Escalation Level
Domain Controller lateral movement	DFIR + Identity Team + CISO
>5 systems confirmed compromised	DFIR Team + SOC Manager
Pass-the-Hash/Ticket confirmed	Tier 2 SOC + Identity Team
Database/file server accessed	Tier 2 SOC + Data Owner
Active command and control	DFIR + Network Team
Lateral movement chain >3 hops	Tier 2 SOC
Unknown tools/techniques	DFIR for analysis

Communication Flow

Detection → Tier 1 Triage → Severity Assessment →
├── Low/Medium → Tier 1 Investigation → Document & Monitor
├── High → Tier 2 + Containment → DFIR if needed
└── Critical → Immediate DFIR → Leadership Notification → IR Activation

---

MITRE ATT&CK Mapping

Lateral Movement (TA0008)

Technique	ID	Description	Detection
Remote Services: RDP	T1021.001	Remote Desktop Protocol	DeviceLogonEvents (Type 10)
Remote Services: SMB/Admin Shares	T1021.002	Windows Admin Shares	Event 5140, 5145
Remote Services: DCOM	T1021.003	Distributed COM	DeviceNetworkEvents (135)
Remote Services: SSH	T1021.004	Secure Shell	Syslog, network logs
Remote Services: WinRM	T1021.006	Windows Remote Management	DeviceNetworkEvents (5985/5986)
Remote Service Session Hijacking: RDP	T1563.002	RDP Session Hijacking	tscon.exe, Event 4778
Use Alternate Authentication Material: PTH	T1550.002	Pass the Hash	Event 4776, MDI
Use Alternate Authentication Material: PTT	T1550.003	Pass the Ticket	Event 4768/4769, MDI
Exploitation of Remote Services	T1210	Exploit vulnerabilities	MDE alerts
Internal Spearphishing	T1534	Phish internal users	EmailEvents
Lateral Tool Transfer	T1570	Copy tools between systems	DeviceFileEvents
Software Deployment Tools	T1072	Abuse deployment tools	Varies by tool
Taint Shared Content	T1080	Modify shared resources	DeviceFileEvents

Related Techniques

Tactic	Technique	ID	Relevance
Discovery	Network Share Discovery	T1135	Pre-lateral movement recon
Discovery	Remote System Discovery	T1018	Target identification
Credential Access	OS Credential Dumping	T1003	Enables credential-based movement
Execution	Windows Management Instrumentation	T1047	WMI lateral execution
Execution	Scheduled Task/Job	T1053	Remote task execution
Execution	Service Execution	T1569	PsExec-style execution

---

Appendix: Investigation Commands

Network Connection Analysis

# Get active network connections with process info
Get-NetTCPConnection -State Established | ForEach-Object {
    $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        LocalAddress = $_.LocalAddress
        LocalPort = $_.LocalPort
        RemoteAddress = $_.RemoteAddress
        RemotePort = $_.RemotePort
        ProcessName = $proc.Name
        ProcessPath = $proc.Path
        ProcessId = $_.OwningProcess
    }
} | Where-Object {$_.RemotePort -in @(445, 3389, 5985, 5986, 135, 22)}

# Check for RDP connections
qwinsta /server:localhost

# List established SMB sessions
Get-SmbSession | Select-Object ClientComputerName, ClientUserName, NumOpens

# Check WinRM connectivity
Test-WSMan -ComputerName targetserver -ErrorAction SilentlyContinue

Authentication Event Analysis

# Get recent network logons
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4624
} -MaxEvents 100 | Where-Object {
    $_.Properties[8].Value -eq 3  # Logon Type 3 (Network)
} | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = $_.Properties[5].Value
        Domain = $_.Properties[6].Value
        SourceIP = $_.Properties[18].Value
        LogonType = $_.Properties[8].Value
    }
}

# Get explicit credential usage (4648)
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4648
} -MaxEvents 50 | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        SubjectUser = $_.Properties[1].Value
        TargetUser = $_.Properties[5].Value
        TargetServer = $_.Properties[9].Value
        ProcessName = $_.Properties[11].Value
    }
}

# Get NTLM authentications
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4776
} -MaxEvents 100 | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = $_.Properties[1].Value
        Workstation = $_.Properties[2].Value
        Status = $_.Properties[4].Value
    }
}

Service & Task Analysis

# Get recently created services
Get-WinEvent -FilterHashtable @{
    LogName = 'System'
    ID = 7045
} -MaxEvents 20 | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        ServiceName = $_.Properties[0].Value
        ImagePath = $_.Properties[1].Value
        ServiceType = $_.Properties[2].Value
        StartType = $_.Properties[3].Value
        Account = $_.Properties[4].Value
    }
}

# Get scheduled tasks created recently
Get-ScheduledTask | Where-Object {
    $_.Date -gt (Get-Date).AddDays(-7)
} | Select-Object TaskName, TaskPath, Author, Date, State

# Check for PsExec service
Get-Service | Where-Object {$_.Name -match "psexe|paexe|remcom|csexe"}

Remote Execution Detection

# Check for recent PowerShell remoting
Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-PowerShell/Operational'
    ID = 4103, 4104
} -MaxEvents 100 | Where-Object {
    $_.Message -match "Invoke-Command|Enter-PSSession|New-PSSession"
}

# Check WMI activity
Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-WMI-Activity/Operational'
    ID = 5857, 5858, 5859, 5861
} -MaxEvents 50

# Check for remote registry access
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4663
} -MaxEvents 100 | Where-Object {
    $_.Properties[6].Value -match "Registry"
}

Lateral Movement Tool Detection

# Search for common lateral movement tools
$toolPatterns = @(
    "mimikatz",
    "psexec",
    "paexec", 
    "wmiexec",
    "smbexec",
    "atexec",
    "crackmapexec",
    "evil-winrm",
    "rubeus",
    "sharphound",
    "bloodhound"
)

Get-ChildItem -Path C:\Users, C:\Windows\Temp, C:\ProgramData -Recurse -File -ErrorAction SilentlyContinue | 
    Where-Object {
        $file = $_
        $toolPatterns | Where-Object {$file.Name -match $_}
    } | Select-Object FullName, CreationTime, LastWriteTime

# Check running processes for tool signatures
Get-Process | Where-Object {
    $proc = $_
    $toolPatterns | Where-Object {$proc.Name -match $_ -or $proc.Path -match $_}
}

Evidence Collection Script

# Lateral Movement Evidence Collection
$outputPath = "C:\IR_LateralMovement_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -ItemType Directory -Path $outputPath -Force

# System info
systeminfo > "$outputPath\systeminfo.txt"

# Network connections
Get-NetTCPConnection | Export-Csv "$outputPath\network_connections.csv" -NoTypeInformation

# SMB Sessions
Get-SmbSession | Export-Csv "$outputPath\smb_sessions.csv" -NoTypeInformation

# Recent logons (Security log)
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624,4625,4648,4776} -MaxEvents 1000 |
    Export-Csv "$outputPath\logon_events.csv" -NoTypeInformation

# Services
Get-WmiObject Win32_Service | Export-Csv "$outputPath\services.csv" -NoTypeInformation

# Scheduled Tasks
Get-ScheduledTask | Export-Csv "$outputPath\scheduled_tasks.csv" -NoTypeInformation

# RDP Sessions
qwinsta > "$outputPath\rdp_sessions.txt"

# PowerShell history (all users)
Get-ChildItem "C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -ErrorAction SilentlyContinue |
    ForEach-Object {
        $user = $_.FullName.Split('\')[2]
        Copy-Item $_.FullName "$outputPath\ps_history_$user.txt"
    }

# Compress
Compress-Archive -Path $outputPath -DestinationPath "$outputPath.zip" -Force

Write-Host "Evidence collected to: $outputPath.zip"

---

⚠️ Critical Investigation Note: Lateral movement rarely occurs in isolation.

Always investigate: (1) How did the attacker gain initial access? (2) What credential theft occurred before movement? (3) What is the attacker's objective? (4) Has data exfiltration occurred?

Treat any confirmed lateral movement as a potential full environment compromise until proven otherwise.