24 days
Median dwell time before lateral movement is detected (Mandiant M-Trends): attackers use this time to reach domain controllers and establish persistence
4648
Windows Event ID for explicit credential logon: a key indicator of lateral movement when a workstation authenticates to another workstation
Most common credential-based lateral movement technique: reuses NTLM hashes from memory without knowing the plaintext password
SMB
Most common lateral movement protocol: file share access, PsExec, WMI all traverse SMB and generate characteristic event log patterns

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The initial compromise is rarely the end goal. Phishing campaigns target end users; ransomware operators want domain controllers. Between the phishing victim's workstation and the domain controller are all the other systems the attacker needs to traverse: and the credentials they need to collect along the way.

Lateral movement is the journey from initial access to objective. It is also the phase where detection is most actionable: the attacker is active on the network, generating authentication events, making network connections, and executing commands on remote systems. All of these leave traces.

Common Lateral Movement Techniques

1. Pass-the-Hash (PtH)

Pass-the-Hash reuses NTLM credential hashes extracted from memory (via Mimikatz or similar) to authenticate to remote systems without knowing the plaintext password.

What it looks like on the network and in event logs:

  • Source: Mimikatz sekurlsa::logonpasswords on the compromised host
  • Authentication: NTLM authentication (Event ID 4624, Logon Type 3, NTLMv2) from the attacker's process to a remote SMB share
  • Workstation-to-workstation NTLM authentication is uncommon in most environments: legitimate traffic is usually Kerberos

2. Pass-the-Ticket (PtT)

Pass-the-Ticket steals a Kerberos ticket from memory (Event ID 4769 on the DC when the ticket was requested) and uses it on another system. The ticket belongs to a legitimate user: the attacker is impersonating them.

3. PsExec / Remote Service Execution

PsExec (and many imitations) copies a service binary to the target's ADMIN$ share, creates a Windows service, and executes it. Generates a distinctive event sequence:

  1. File copy to \\TARGET\ADMIN$\PSEXESVC.exe (SMB, Event ID 5145)
  2. Service creation on the target (Event ID 7045 on the target: "PSEXESVC" service installed)
  3. Service execution (Event ID 4688: PSEXESVC.exe launches cmd.exe or payload)

4. WMI Remote Execution

WMI provides a legitimate remote administration interface. Attackers use wmic /node:target process call create "cmd.exe /c payload" or PowerShell's Invoke-WmiMethod:

  • Generates Event ID 4624 (logon) on the target with Logon Type 3
  • Followed by wmiprvse.exe spawning the payload process (Event ID 4688, parent=wmiprvse.exe)

5. RDP (Remote Desktop Protocol)

RDP hijacking abuses valid stolen credentials over port 3389. Less stealthy than other methods but widely used by ransomware operators who need interactive access:

  • Event ID 4624 with Logon Type 10 (RemoteInteractive) on the target
  • Event ID 4778 (session reconnect) if hijacking an existing disconnected session

Detection: Authentication Anomalies

The core insight: In most environments, workstations do not authenticate to other workstations. Workstation-to-workstation authentication events (especially NTLM) are lateral movement until proven otherwise.

Splunk SPL: detect workstation-to-workstation NTLM authentication:

index=windows EventCode=4624 Logon_Type=3 Authentication_Package=NTLM
| eval src_host=replace(Workstation_Name, "\\\\\\\\|\\.$", "")
| eval dest_host=replace(ComputerName, "\\..*", "")
| where src_host!=dest_host
| lookup assets.csv hostname as src_host OUTPUT asset_type as src_type
| lookup assets.csv hostname as dest_host OUTPUT asset_type as dest_type
| where src_type="workstation" AND dest_type="workstation"
| stats count by src_host, dest_host, Account_Name, _time
| where count > 1

Microsoft Sentinel KQL: Pass-the-Hash indicators:

// Event 4624 Logon Type 3 NTLM with workstation source authenticating to server
SecurityEvent
| where EventID == 4624
| where LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where WorkstationName != ""
| where Computer != WorkstationName  // Different source and dest
| where AccountName !endswith "$"  // Not machine accounts
| where IpAddress !in ("127.0.0.1", "::1", "-")
| summarize
    ConnCount = count(),
    TargetHosts = make_set(Computer),
    SourceHosts = make_set(WorkstationName)
    by AccountName, bin(TimeGenerated, 1h)
| where array_length(TargetHosts) > 2  // One account accessing multiple hosts
| sort by ConnCount desc

Alert on explicit credential use (Event ID 4648):

// Event 4648 = logon with explicit credentials (RunAs, net use /user:, PsExec -u)
SecurityEvent
| where EventID == 4648
| where AccountName != TargetUserName  // Different account is being used
| where TargetServerName !in ("localhost", "127.0.0.1")
| project TimeGenerated, Computer, AccountName, TargetUserName, TargetServerName, ProcessName
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Detection: Remote Execution Signatures

PsExec detection (Event ID 7045: service installation):

// New service installed with characteristics of PsExec or imitations
SecurityEvent
| where EventID == 7045
| where ServiceFileName has_any ("PSEXESVC", "cmd.exe", "powershell.exe")
    or ServiceFileName matches regex @"\\(ADMIN|C)\$\\"
| project TimeGenerated, Computer, ServiceName, ServiceFileName, ServiceAccount

WMI remote execution (Sysmon Event ID 1: wmiprvse.exe spawning commands):

SysmonEvent
| where EventID == 1  // Process creation
| where ParentImage has "wmiprvse.exe"
| where Image has_any ("cmd.exe", "powershell.exe", "mshta.exe", "cscript.exe")
| project TimeGenerated, Computer, Image, CommandLine, ParentImage

RDP authentication burst (multiple hosts in short time window):

SecurityEvent
| where EventID == 4624
| where LogonType == 10  // RemoteInteractive = RDP
| summarize
    RDPHosts = make_set(Computer),
    Count = count()
    by AccountName, bin(TimeGenerated, 30m)
| where array_length(RDPHosts) > 3  // Single account RDPing to 3+ hosts in 30 min
| sort by Count desc

Admin share access (SMB Event ID 5145):

// Access to administrative shares (C$, ADMIN$, IPC$) is unusual from workstations
SecurityEvent
| where EventID == 5145
| where ShareName has_any ("ADMIN$", "C$", "IPC$")
| where AccountName !endswith "$"  // Not machine accounts
| project TimeGenerated, Computer, AccountName, IpAddress, ShareName, RelativeTargetName

Network-Level Detection: Segmentation and Monitoring

Why east-west traffic monitoring matters: Most network monitoring focuses on perimeter (north-south) traffic. Lateral movement generates internal (east-west) traffic that perimeter tools never see. A workstation connecting to another workstation on SMB port 445 looks identical to normal file sharing: context determines whether it is lateral movement.

Network segmentation to limit blast radius:

# Windows Firewall GPO: block workstation-to-workstation SMB
# Computer Configuration > Windows Settings > Security Settings > Windows Firewall
# Inbound rule: Block TCP 445 from workstation subnets to workstation subnets

# Allow SMB only from specific management subnets to servers
# Block SMB from all workstations to other workstations

Micro-segmentation priority: If workstations can freely SMB to each other, a single phishing victim can become patient zero for ransomware that propagates across all workstations. The fix is a Windows Firewall policy (deployed via GPO) that blocks workstation-to-workstation SMB.

NDR tools for east-west detection:

  • Zeek (open source): extracts and logs SMB, Kerberos, RDP, and WMI sessions from packet captures
  • Corelight: commercial Zeek deployment with ML anomaly detection
  • Darktrace, ExtraHop: behavioral baselines for east-west traffic

The honeypot approach: Deploy a honeyserver on an unused internal IP that should receive zero legitimate traffic. Any internal connection to it: SMB probe, RDP attempt, ICMP ping from a lateral movement scan: triggers an immediate alert.

The bottom line

Lateral movement generates authentication events across the environment: workstation-to-workstation NTLM authentication, Event ID 4648 explicit credential use, new service installations from remote sources, and wmiprvse.exe spawning shell processes. The most actionable detection: alert on workstation-to-workstation NTLM logons (Logon Type 3, NTLM package), watch for a single account authenticating to many hosts in short windows, and monitor Event ID 7045 for unexpected service installations. Network segmentation blocking workstation-to-workstation SMB limits what one compromised host can reach.

Frequently asked questions

What is lateral movement in a cyberattack?

Lateral movement is the phase where an attacker uses an initially compromised system to access additional systems in the network: pivoting from an end-user workstation toward domain controllers, file servers, and backup systems. Common techniques include Pass-the-Hash (reusing credential hashes), PsExec (remote service execution), WMI remote commands, and RDP with stolen credentials.

How do you detect lateral movement in a network?

Key detection signals: Event ID 4624 with Logon Type 3 and NTLM authentication from workstations to other workstations (workstation-to-workstation NTLM is rare in healthy environments), Event ID 4648 explicit credential use, Event ID 7045 unexpected service installations, and wmiprvse.exe spawning cmd.exe or PowerShell. Alert on any account authenticating to more than three hosts in a short window: this indicates credential spraying during lateral movement.

What tools do attackers use for lateral movement in Windows environments?

Common lateral movement tools and techniques: PsExec (remote process execution via SMB), WMI/WMIC (remote command execution), PowerShell Remoting (Enter-PSSession, Invoke-Command), Pass-the-Hash using Mimikatz with NTLM hashes, Impacket's smbexec.py and wmiexec.py (SMB and WMI execution from Linux), RDP (Remote Desktop Protocol), and scheduled tasks created remotely. MITRE ATT&CK Tactic TA0008 (Lateral Movement) documents all known techniques with detection guidance. Defenders should specifically monitor for ADMIN$ and C$ share access, WMI remote execution events, and PSExec service creation (Event ID 7045 with service name PSEXESVC).

How does network segmentation limit lateral movement?

Network segmentation limits lateral movement by restricting which systems can communicate directly. In a flat network, a compromised user workstation can reach domain controllers, backup servers, and production databases directly via SMB, WMI, and RDP. With segmentation: workstations cannot reach other workstations (blocks SMB relay and credential spraying); workstations can only reach servers through controlled paths (forcing lateral movement through monitored firewall chokepoints); and domain controllers are in an isolated segment accessible only from server management systems. Microsoft recommends a three-tier admin model: user workstations, server management, and domain controller management in completely separate administrative forests.

What is pass-the-hash and how do you prevent it?

Pass-the-hash (PtH) is an attack where an attacker uses a stolen NTLM password hash to authenticate as a user without knowing the plaintext password. Windows NTLM authentication uses the hash directly during the challenge-response exchange: the hash is equivalent to the password for authentication purposes. Prevention: enable Windows Defender Credential Guard (prevents hash extraction from LSASS memory on modern Windows 10/11 and Server 2016+ with Secure Boot); deploy LAPS to ensure local administrator accounts have different passwords on every machine (prevents PtH from spreading across systems); disable NTLM where Kerberos is available; and restrict which accounts can authenticate to sensitive systems via Protected Users security group membership.

What tools and techniques do attackers use for lateral movement and what log evidence does each technique leave?

Lateral movement techniques and their log fingerprints: PsExec and similar SMB-based tools create a service on the target machine (Event ID 7045 on target) and connect via SMB (Event ID 4624 Type 3 logon on target, Event ID 5140 network share access). WMI remote execution (wmic /node:target process call create) generates Event ID 4624 on target, Event ID 4688 process creation for WmiPrvSE.exe spawning child processes, and WMI activity log events (Event IDs in Microsoft-Windows-WMI-Activity). PowerShell Remoting creates a WSMan connection visible in Windows Remote Management logs and Event ID 4624 Type 3 with AuthenticationPackageName of Kerberos or NTLM. RDP (Remote Desktop) creates Event ID 4624 Type 10 (RemoteInteractive) on target and Event ID 4778 (session reconnect) for subsequent connections. DCOM-based lateral movement is harder to detect: look for Event ID 4624 followed by process creation for dllhost.exe or mmc.exe from unexpected parent processes. For NTLM relay attacks targeting SMB: Event ID 4624 Type 3 on the relay target with the victim's username but the attacker's IP as the source. Correlate logon events across multiple machines to identify the lateral movement pattern: the same user account appearing on multiple systems within a short window is a strong indicator of pass-the-hash or token impersonation.

Sources & references

  1. MITRE ATT&CK: Lateral Movement (TA0008)
  2. Microsoft: Detecting Lateral Movement Through SMB
  3. SANS: Lateral Movement Techniques and Detection

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.