Detecting Lateral Movement
Once an attacker has a foothold, the interesting part begins: moving from the first host toward whatever they actually came for. That east-west movement leaves traces if you know which events to join.
Signals worth joining
Lateral movement rarely shows up as a single smoking-gun event. It emerges from correlation:
- Network logon events (
4624type 3) from unusual sources - Service or scheduled-task creation on the destination
- Remote process creation shortly after
Correlate across hosts, not just within one. A single
4624is noise; a chain of them following an account around the estate is a story.
A starting query
This KQL groups remote logons by source account and host to surface accounts touching many machines in a short window:
SecurityEvent
| where EventID == 4624 and LogonType == 3
| summarize hosts = dcount(Computer), machines = make_set(Computer, 10)
by Account, bin(TimeGenerated, 1h)
| where hosts > 5
| sort by hosts desc
Techniques to cover
| ATT&CK ID | Technique | Primary signal |
|---|---|---|
| T1021.002 | SMB / Admin Shares | 5140, 4624 type 3 |
| T1021.006 | WinRM | WinRM operational log |
| T1053.005 | Scheduled Task | 4698 task created |
| T1569.002 | Service Execution | 7045 service installed |
Tune the thresholds to your environment. Admins legitimately touch many hosts, so baseline first, then alert on the deviation rather than the raw activity.