19 minutes
average time for a sophisticated threat actor to begin lateral movement after initial compromise -- detection using authentication logs must trigger within this window to be effective (CrowdStrike 2024)
6 patterns
authentication event patterns that reliably indicate credential-based lateral movement in Active Directory environments, detectable without endpoint agent telemetry
4672
Windows Security Event ID for Special Privileges Assigned -- the event that most frequently precedes lateral movement via pass-the-hash and pass-the-ticket attacks
80%
of lateral movement activity in enterprise environments uses authentication mechanisms (Kerberos, NTLM, RDP, WMI) that generate authentication log events regardless of whether an EDR agent is installed

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Every enterprise has EDR coverage gaps. Legacy Windows servers that cannot run a modern agent. Linux servers where agent deployment failed and was not followed up. Industrial control systems where agent installation is prohibited. Contractor-managed endpoints where your organization has no deployment authority.

These gaps are known. What is less known is that most lateral movement that crosses these gaps still generates authentication events. An attacker using compromised credentials to log into a server over RDP, execute a command via WMI, or request a Kerberos service ticket creates authentication records in Active Directory Security logs and Windows Event Logs -- regardless of whether an EDR agent is installed on the source or destination.

This guide covers the six authentication event patterns that indicate credential-based lateral movement, the specific Event IDs and their detection logic, query templates for Splunk and Microsoft Sentinel, and the tuning adjustments that reduce false positive rates for these detection rules in typical enterprise environments.

What Authentication Logs Cover and What They Miss

Before building authentication-log-based detection, understand the coverage boundary.

What authentication logs cover: Every sign-in attempt against Active Directory domain controllers (Event ID 4624 for successful logon, 4625 for failed logon), Kerberos service ticket requests (Event ID 4769), NTLM authentication events (Event ID 4776), remote session establishment events (Event ID 4648 for explicit credential use), and privilege elevation events (Event ID 4672 for special privilege assignment). These events are generated on the authenticating host (the domain controller for domain authentication, or the local Security log for local authentication) regardless of what is installed on the connecting host.

What they miss: Process execution on the destination host (which EDR catches and authentication logs do not), file access patterns on the destination (EDR catches, authentication logs do not), and in-memory credential theft techniques that do not involve authentication events (such as direct LSASS memory read, which EDR catches and domain controller logs do not unless configured with Windows Defender Credential Guard). Authentication logs also do not capture lateral movement that uses already-established sessions -- an attacker who has a persistent authenticated session and is moving files or executing commands within it leaves no new authentication event after the initial session establishment.

The practical implication: authentication log detection catches the moment of movement (the authentication), not the activity after movement. It is best paired with SIEM correlation that connects the authentication event to subsequent activity (network connections, DNS queries, or cloud API calls from the destination host).

Pattern 1: Logon Type 3 from Unusual Sources (Pass-the-Hash Indicator)

Event ID 4624, Logon Type 3 (Network Logon) is generated on the destination host when an account authenticates over the network. This is a high-volume event in a normal enterprise environment -- file server access, print server access, and mapped drives all generate Type 3 logons.

The lateral movement signal is not the Type 3 logon itself but Type 3 logons to administrative shares (C$, ADMIN$, IPC$) from source hosts that do not typically access those shares. Pass-the-hash attacks typically authenticate to administrative shares because they require network authentication rather than interactive logon.

Detection query logic for Splunk:

  • Filter Event ID 4624 with Logon Type 3
  • Filter on destination share containing $ (administrative shares)
  • Exclude known IT management systems (your RMM tool, backup agent, domain controller to domain controller)
  • Alert on source host authenticating to administrative share for the first time in the last 30 days

The 30-day baseline window is what distinguishes this rule from an overly broad "any admin share access" alert. A source host that has never accessed the target's administrative share before is an anomaly. A backup server that accesses administrative shares on every server nightly is baseline.

Specific Event IDs to correlate: 4624 (Type 3 on destination) paired with 5140 (network share object accessed) narrows the detection to confirmed administrative share access rather than any Type 3 logon.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Pattern 2: Account Logon from Multiple Non-Sequential Hosts (Account Compromise Indicator)

When an attacker has compromised a user account and is using it for lateral movement, the account appears on multiple hosts in a compressed time window. The pattern: account A logs into host X, then within 30 minutes logs into host Y, then within another 30 minutes logs into host Z.

Normal user behavior involves logging into one primary workstation and occasionally one or two servers. A single account authenticating to four or more distinct hosts within 60 minutes is not a normal user behavior pattern.

Detection query logic (Splunk and Sentinel both support this pattern):

  • Filter Event ID 4624 for account logons
  • Exclude service accounts (these legitimately authenticate to many hosts)
  • Group by account name, count distinct destination hosts within a 60-minute window
  • Alert when distinct host count exceeds 4 within 60 minutes for a non-service account

Tuning required: exclude your own account (security analysts legitimately authenticate to multiple hosts), exclude known IT admin accounts performing maintenance, and exclude any account whose baseline behavior includes multi-host authentication (on-call engineers, DBA accounts). The exclusion list is built from the 30-day authentication baseline query run before deploying this rule.

This pattern detects both NTLM pass-the-hash and Kerberos pass-the-ticket lateral movement, because both result in authentication events to destination hosts regardless of which authentication protocol is used.

Pattern 3: Kerberoasting and Ticket Anomalies (Service Ticket Abuse)

Event ID 4769 is generated on domain controllers when a Kerberos service ticket (TGS) is requested. In a normal environment, service ticket requests follow predictable patterns: the same accounts requesting tickets to the same services they regularly use, using RC4 or AES encryption depending on your domain policy.

Two anomalous patterns in Event ID 4769 indicate credential attack activity:

Encryption downgrade requests (Kerberoasting indicator): RC4 ticket requests for service accounts in a domain configured to use AES encryption indicate a Kerberoasting attempt. Kerberoasting works by requesting service tickets encrypted with the service account's NTLM hash (RC4) rather than the stronger AES key, because RC4 hashes are faster to crack offline. Detection: filter Event ID 4769 where the Ticket Encryption Type is 0x17 (RC4-HMAC) and the requesting account is a standard user account rather than a service account or computer account.

Service ticket requests for unusual services: After Kerberoasting, attackers crack the service account password offline and then request tickets to the services that account has access to -- typically high-value services like SQL Server, SharePoint, or backup systems that a standard user would not normally access. Detection: filter Event ID 4769 for ticket requests from user accounts to service principal names (SPNs) they have not previously requested, particularly SPNs associated with database or administrative services.

Tuning: RC4 encryption downgrade detection has a meaningful false positive rate in domains that still have older systems requiring RC4. Add the source host to the exclusion list if it is a known legacy system that cannot use AES.

Pattern 4: Explicit Credential Use (4648) Outside Normal Admin Workflows

Event ID 4648 is generated when a process uses explicit credentials to authenticate (the "runas" pattern -- providing different credentials than those of the currently logged-in user). Legitimate uses include IT administrators using Run As Administrator with a privileged account to perform elevated tasks.

The lateral movement signal: Event ID 4648 appearing from a non-administrator source account, or from accounts that do not have a documented pattern of using explicit credentials, or from source hosts where no administrative activity is expected.

Attackers use explicit credentials during lateral movement when they have obtained an account's credentials (through credential dumping, phishing, or brute force) and are using those credentials to authenticate to remote systems while their attacker session is running under a different account. The explicit credential use is the "here are the stolen credentials I am using" event.

Detection query logic:

  • Filter Event ID 4648 where the account in the event differs from the currently logged-in account
  • Exclude accounts with documented explicit credential use patterns (IT admin accounts, deployment service accounts)
  • Alert on Event ID 4648 where the account used has not previously appeared in Event ID 4648 events from the same source host

Correlation: Event ID 4648 from source host X using account A, followed within 5 minutes by Event ID 4624 (logon) on destination host Y using account A, is a strong lateral movement indicator -- it shows the explicit credential use followed immediately by a successful authentication to a new host.

Network Flow-Based Detection to Complement Authentication Logs

Authentication logs detect the authentication events. Network flow logs (VPC Flow Logs, NetFlow, firewall session logs) detect the underlying network connections, including connections that fail authentication (which generate network flow events but may not generate authentication events depending on the failure mode).

Three network flow patterns that complement authentication log detection:

SMB connections to non-file-server hosts. TCP 445 (SMB) connections from workstations to other workstations indicate lateral movement using file shares or WMI (which uses SMB for authentication). Workstation-to-workstation SMB is not a normal traffic pattern in most organizations -- workstations access file servers, not each other, on SMB. Alert on any TCP 445 connection where both the source and destination are workstation hostnames rather than server hostnames.

RDP connections from non-IT-management hosts. TCP 3389 (RDP) connections from workstations to other workstations or servers, where the source is not your IT management subnet, indicate an attacker using RDP for lateral movement. RDP access from the IT management subnet to servers is baseline. RDP from a user workstation to another user workstation is anomalous.

New outbound connections to internal servers from workstations. A workstation that has never previously made a connection to a specific internal server making a new connection is an anomaly signal, particularly when combined with an authentication log event from the same source to the same destination at the same time. This pattern is the network flow equivalent of the authentication log first-seen-host detection.

The bottom line

Full EDR coverage is the goal, but authentication and network logs provide meaningful lateral movement detection coverage in the gaps where agents cannot be deployed. The six authentication event patterns -- Type 3 logon to administrative shares, multi-host account logon, Kerberos encryption downgrade, service ticket requests for unusual services, explicit credential use, and Event ID 4672 privilege assignment sequences -- together cover the most common credential-based lateral movement techniques. These detections have meaningful false positive rates in untuned form; the 30-day baseline window and the exclusion lists for known-normal behavior are what make them operationally usable. Pair authentication log detection with network flow detection for coverage of connection patterns that do not generate authentication events, and with SIEM correlation to connect the moment-of-movement authentication event to the subsequent activity on the destination host.

Frequently asked questions

Can you detect lateral movement without an EDR agent?

Yes. Most credential-based lateral movement -- which accounts for approximately 80% of lateral movement in enterprise Windows environments -- generates authentication events in Active Directory Security logs and Windows Event Logs regardless of whether an EDR agent is installed on the source or destination host. Authentication events for network logons (Event ID 4624 Type 3), Kerberos service ticket requests (Event ID 4769), explicit credential use (Event ID 4648), and privilege assignment (Event ID 4672) are generated by the operating system and domain controllers, not by endpoint agents. Network flow logs (VPC Flow Logs, NetFlow, firewall session logs) provide complementary coverage for connection patterns that do not generate authentication events.

What Windows Event IDs are most useful for detecting lateral movement?

The six most useful Event IDs for lateral movement detection are: 4624 (successful logon -- filter for Logon Type 3 network logons to administrative shares), 4625 (failed logon -- repeated failures across multiple hosts indicate credential spraying or brute force), 4648 (explicit credential use -- attacker using stolen credentials while their session runs under a different account), 4672 (special privilege assignment -- elevated rights assigned immediately after logon), 4769 (Kerberos service ticket request -- filter for RC4 encryption type to detect Kerberoasting), and 5140 (network share object accessed -- correlate with 4624 Type 3 to confirm administrative share access). Collect these from domain controllers and member servers into your SIEM.

What is pass-the-hash and how do authentication logs detect it?

Pass-the-hash is a lateral movement technique where an attacker uses the NTLM hash of a compromised account's password -- rather than the plaintext password -- to authenticate to remote services. The hash can be extracted from LSASS memory on a compromised host using tools like Mimikatz. Authentication logs detect pass-the-hash through two patterns: Event ID 4624 Logon Type 3 (network logon) to administrative shares (C$, ADMIN$, IPC$) from source hosts with no prior access history, and Event ID 4624 events showing the same account authenticating to multiple distinct hosts within a compressed time window (4 or more hosts within 60 minutes for a non-service account).

What is Kerberoasting and what log events does it generate?

Kerberoasting is an attack technique where an attacker requests Kerberos service tickets for accounts with Service Principal Names (SPNs), then cracks those tickets offline to obtain the service account's password. The ticket request uses RC4 encryption (0x17) rather than AES because RC4 hashes are faster to crack offline. Windows Event ID 4769 is generated on domain controllers for every Kerberos service ticket request. Detection: filter Event ID 4769 where Ticket Encryption Type is 0x17 (RC4-HMAC) and the requesting account is a standard user account rather than a service account or computer account. RC4 requests in a domain configured for AES are the anomaly signal.

How do I reduce false positives in authentication log lateral movement detection?

Build a 30-day authentication baseline before deploying any detection rule, and use baseline deviation rather than absolute thresholds. Key exclusions for each pattern: for multi-host logon detection, exclude all service accounts (they legitimately authenticate to many hosts) and known IT admin accounts. For administrative share access detection, exclude your RMM tool, backup agent, and domain controller authentication sources. For explicit credential use (4648), exclude documented administrative workflows and deployment service accounts. For Kerberos encryption downgrade, exclude known legacy hosts that require RC4 because they cannot support AES. Document every exclusion with the justification and a review date.

What network flow patterns indicate lateral movement?

Three network flow patterns complement authentication log detection: SMB (TCP 445) connections from workstations to other workstations (workstation-to-workstation SMB is abnormal -- workstations access file servers, not each other), RDP (TCP 3389) connections from non-IT-management source hosts to workstations or servers (RDP lateral movement from attacker-controlled workstations to targets), and first-seen connections from a workstation to an internal server (a workstation that has never connected to a specific server making a new connection, particularly when correlated with an authentication event from the same source to the same destination at the same time).

How should authentication log lateral movement detection integrate with my SIEM?

Authentication log detection works best as correlated SIEM rules rather than individual event alerts. The correlation patterns that produce high-confidence lateral movement alerts: Event ID 4648 from source host X using account A, followed within 5 minutes by Event ID 4624 on destination host Y using account A (explicit credential use followed by successful authentication). Event ID 4769 with RC4 encryption from account B, followed within 60 minutes by Event ID 4624 Type 3 logons to multiple hosts using account B (Kerberoasting followed by lateral movement using the cracked account). Network flow TCP 445 from workstation C to workstation D, correlated with Event ID 4624 Type 3 on workstation D from the IP of workstation C.

Sources & references

  1. MITRE ATT&CK: Lateral Movement Tactic
  2. NSA/CISA: Best Practices for Event Log Management
  3. Microsoft: Windows Security Event Log Reference
  4. CrowdStrike 2024 Global Threat Report
  5. SANS: Investigating Windows Systems Using Event Logs

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.