Lateral Movement Investigation

When You See This

1. 1

   XDR alert for PsExec, WMI, or PowerShell remoting execution from a non-admin workstation

2. 2

   SIEM alert for RDP connections from a user account to servers they have never accessed before

3. 3

   Firewall logs showing internal SMB traffic between hosts that do not normally communicate

4. 4

   Unusual service installation or scheduled task creation on multiple hosts within a short window

Investigation Steps

1. 1

   Map the connection chain

   Identify the source host, destination host(s), account used, protocol/tool, and timestamp for each lateral movement event. Build a timeline showing the progression from the initial host to each subsequent system. Look for patterns; attackers typically move from less-privileged to more-privileged systems.

   SIEMXDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint (EventCode=4624 OR EventCode=4648) Logon_Type IN (3, 10) | stats values(dest_host) as targets, count by src_ip, user, Logon_Type | where count > 2

   index=endpoint process_name IN ("psexec.exe", "psexec64.exe", "wmic.exe") OR (process_name="powershell.exe" AND command_line="*-ComputerName*") | table _time, src_host, dest_host, user, process_name, command_line

2. 2

   Identify the initial compromise point

   Trace back from the first lateral movement event to find how the attacker gained access to the source host. Check for prior phishing email delivery, exploit attempts, or compromised VPN credentials. The initial access point determines the full scope of the incident.

   SIEMXDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=auth OR index=endpoint dest_host="first_compromised_host" | stats count by action, src_ip, user | sort -_time | head 100

3. 3

   Check for credential harvesting

   Attackers typically harvest credentials before moving laterally. Look for LSASS memory access, Mimikatz patterns, SAM database access, or Kerberoasting activity on the compromised hosts. If credentials were harvested, all accounts on those systems should be considered compromised.

   XDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint (process_name="lsass.exe" AND access_mask="0x1010") OR (process_name="mimikatz.exe") OR (EventCode=4769 Ticket_Encryption_Type=0x17) | table _time, dest_host, process_name, user

   Decision Point

   If: Credential harvesting detected on compromised hosts

   Yes → All accounts that were logged into those systems are potentially compromised. Expand scope to include password resets for all affected accounts.

   No → Attacker may be using initial compromised credentials only. Continue mapping the attack path.

4. 4

   Assess scope and contain

   Determine all systems the attacker accessed and what data they could have reached. Isolate compromised endpoints from the network. Block the attacker account(s). Coordinate with system owners to assess data exposure.

   XDRFirewall
5. 5

   Escalate to incident response

   Lateral movement always indicates an active intrusion beyond initial access. Document the full attack chain: initial access vector → compromised accounts → lateral movement path → accessed systems. Hand off to the incident response team with this timeline and all associated IOCs.

   SIEM

Common Mistakes

1. 1

   Investigating only the destination alert without tracing back to the initial compromise point

2. 2

   Dismissing RDP connections as "admin activity" without verifying the source account and timing

3. 3

   Failing to check for credential harvesting tools, which means potentially compromised accounts go undetected

4. 4

   Containing only the latest compromised system instead of all systems in the attack chain

Escalation Criteria

• Any confirmed lateral movement; this always indicates an active intrusion

• Credential harvesting tools detected (Mimikatz, SAM dump, LSASS access)

• Movement toward domain controllers, databases, or other critical infrastructure

Frequently Asked Questions

How do I distinguish malicious lateral movement from normal admin activity?

Check three things: (1) Is the source account an admin who normally accesses this system? (2) Is the timing consistent with normal work hours and maintenance windows? (3) Is the tool/protocol consistent with how admins normally manage this system? If any answer is "no," investigate further.

Should I always escalate lateral movement alerts?

Yes. Confirmed lateral movement means an attacker has already breached your perimeter and is expanding access. Even if the movement seems limited, the attacker may have additional access you have not discovered yet. Always escalate to ensure proper incident response.

How do I practice lateral movement investigations?

SOCSimulator scenarios include multi-stage attacks with lateral movement phases. Practice correlating SIEM, XDR, and firewall alerts to reconstruct attack paths, the skill that separates Tier 1 from Tier 2 analysts. Start free forever.