An attacker has a foothold on one host. What signs of lateral movement would you hunt for?
Short answer
Lateral movement is an attacker using a foothold to reach other systems. Signs include unexpected network logons (type 3) and RDP (type 10), access to admin shares like C$ and ADMIN$, remote-execution tools such as PsExec, WMI, and WinRM, pass-the-hash patterns, and a normally local account suddenly authenticating to many hosts.
Once an attacker has one box, the real damage comes from spreading to others — toward domain controllers, file servers, and crown-jewel data. Detecting lateral movement is high-value SOC work, which is why this is a senior question. The strong answer names concrete, observable signals.
Authentication patterns
The clearest signals are in logons. Watch for network logons (type 3) and RDP (type 10) to hosts a user never normally touches, and especially for one account authenticating across many machines in a short window. A local or service account that suddenly reaches out broadly is a classic tell. Bursts of Kerberos or NTLM activity from an unusual source also matter.
Remote execution tooling
Attackers move using built-in remote-exec mechanisms: PsExec (creating a service on the target), WMI (wmic/Win32_Process), and WinRM/PowerShell Remoting. In logs these appear as remote service creation (event 7045 / 4697), suspicious 4688 process trees, and WinRM connections. Living-off-the-land use of admin tools is deliberate — it blends in.
Credential abuse
Pass-the-hash and pass-the-ticket let an attacker authenticate with stolen credential material without the plaintext password, so you may see successful logons without a corresponding interactive credential entry. Dumping LSASS on the source host is an upstream signal worth correlating.
Share and resource access
Connections to administrative shares (C$, ADMIN$, IPC$) from unexpected sources often precede remote execution and file staging.
Detect by correlation
No single event proves lateral movement; you correlate logon type, source/destination, account, and the tooling that follows. Mapping these to ATT&CK's Lateral Movement tactic helps structure the hunt.
Why this matters
Catching movement between the initial foothold and the objective is what limits blast radius. An analyst who can describe these signals concretely shows they can hunt an active intruder, not just read a single alert.
Likely follow-ups
- How does pass-the-hash work and what makes it hard to spot?
- Which Windows event IDs and logon types would you pivot on?
- Why are service accounts a favorite target for lateral movement?