Lateral Movement: Detection and defense in the corporate network

The first compromised host is rarely an attacker’s ultimate target—it is the starting point. Lateral movement refers to all the techniques an attacker uses to move through the network from this foothold in order to reach valuable systems (domain controllers, file servers, backup servers, databases). Understanding these techniques is essential for detecting and preventing them.

Lateral Movement Techniques

The most common lateral movement methods:

Pass-the-Hash (PtH):
  → Attacker uses NTLM password hash instead of plaintext password
  → No credential cracking required!
  → Windows authentication accepts hash directly (NTLM protocol)

  Procedure:
  1. Attacker has access to Host A
  2. Mimikatz: sekurlsa::logonpasswords → User’s NTLM hash
  3. No cracking: Use hash directly for authentication on Host B
  4. cmd → wmic /node:HOST_B process call create &quot;cmd&quot; → Shell on B!

  Why is this possible? NTLM: Challenge-response without plaintext password
  → The hash IS the password in NTLM

Pass-the-Ticket (PtT):
  → Steal Kerberos tickets + reuse them
  → Tickets stored in LSASS process memory
  → Mimikatz: sekurlsa::tickets /export → Ticket files
  → Rubeus: /ticket:file.kirbi → Load and use ticket

Golden Ticket:
  → KRBTGT account hash compromised
  → Attacker can create any TGTs
  → For any user, any group, any lifetime!
  → Persistence: Years if KRBTGT is not rotated

  Detection: Tickets with lifetime &gt; 10h (policy deviation)

WMI Remote Execution (wmiexec.py):
  → Windows Management Instrumentation for remote execution
  → Firewall often allows WMI (Port 135/dynamic)
  → wmiexec.py DOMAIN/User:Pass@HOST_B &quot;ipconfig&quot;
  → Alternative to PSExec: fewer forensic artifacts

PSExec (and variants):
  → Creates a service on the target system → Shell
  → Leaves traces: service events (EventID 7045)
  → SMBExec, CSExec: quieter alternatives

Remote Services (sc.exe, Services API):
  → Create a service on the target
  → DLL implant as a service → Persistence + lateral movement

WinRM / PowerShell Remoting:
  → Enter-PSSession -ComputerName HOST_B
  → Invoke-Command -ComputerName HOST_B -ScriptBlock {...}
  → Port 5985 (HTTP) / 5986 (HTTPS)
  → Normally allowed for admins → good for hiding!

SSH Lateral Movement (Linux/Unix):
  → Steal SSH keys: cat ~/.ssh/id_rsa
  → Read known hosts: ~/.ssh/known_hosts → Network topology!
  → Abuse SSH agent forwarding

RDP (Remote Desktop Protocol):
  → Port 3389 often open internally
  → Credential reuse for RDP sessions
  → SharpRDP: RDP without a UI client
  → Anomaly: Admin account RDP to unexpected hosts

DCOM (Distributed COM):
  → Minimal logging, popular evasion tool for red teams
  → ShellBrowserWindow, MMC20.Application as execution vector

Detection Strategies

Detecting Lateral Movement - Windows Event Log:

Key Event IDs:
  4624 (Logon Success):
    → Logon Type 3 (Network) + Admin account = RDP/WMI/PSExec
    → Logon Type 10 (Remote Interactive) = RDP
    → Unknown workstations in AuthenticationPackageName &quot;NTLM&quot;
    → NTLM on internal hosts = Suspected PtH!

  4648 (Explicit Credential Logon):
    → Logon with explicit credentials (runas, PtH)
    → Admin account on many hosts → Lateral movement scan

  4768/4769 (Kerberos TGT/Service Ticket):
    → 4769 with encryption type 0x17 (RC4) = Kerberoasting!
    → Many 4769 events for various services = Enumeration

  4672 (Special Privileges assigned):
    → SeDebugPrivilege granted = Mimikatz activity possible

  7045 (New Service installed):
    → Unknown service → PSExec/service-based lateral movement

  1102 (Audit Log cleared):
    → Anti-forensics = Breach highly likely!

SIEM detection rules (KQL/Sigma):

  Pass-the-Hash detection:
    SecurityEvent
    | where EventID == 4624
    | where LogonType == 3
    | where AuthenticationPackageName == &quot;NTLM&quot;
    | where AccountName !endswith &quot;$&quot;   -- not a computer account
    | where IpAddress !in (&quot;10.0.0.1&quot;)  -- not a legitimate system
    | summarize count() by AccountName, IpAddress, WorkstationName
    | where count_ &gt; 5
    → Multiple NTLM logins from the same IP = PtH or credential stuffing

  Impossible Travel (Lateral Movement):
    SecurityEvent
    | where EventID == 4624
    | project TimeGenerated, AccountName, IpAddress
    | summarize by AccountName, IpAddress, bin(TimeGenerated, 5m)
    | join (
        SecurityEvent | where EventID == 4624
      ) on AccountName
    | where abs(datetime_diff(&#x27;minute&#x27;, TimeGenerated, TimeGenerated1)) &lt; 10
    | where IpAddress != IpAddress1
    → Same account from two IPs within 10 minutes = lateral movement!

  Kerberoasting detection:
    SecurityEvent
    | where EventID == 4769
    | where TicketOptions has &quot;0x40810000&quot;
    | where TicketEncryptionType == &quot;0x17&quot;  -- RC4
    | summarize count() by AccountName, ServiceName, bin(TimeGenerated, 1h)
    | where count_ &gt; 10
    → Many RC4 tickets for service accounts = Kerberoasting!

EDR-based detection:
  □ LSASS access: Processes accessing lsass.exe (Mimikatz!)
  □ Token impersonation: Use of SeImpersonatePrivilege
  □ Remote thread injection in remote systems
  □ WMI remote calls with PowerShell payload
  □ Unusual parent-child process chains (cmd.exe → psexec.exe → svchost.exe)

Network-level detection:
  □ SMB connections between workstations (Workstation→Workstation SMB = unusual!)
  □ WMI traffic from non-admin systems
  □ Port 5985/5986 to many destinations in quick succession
  □ RDP sessions to unexpected destinations
  □ Network scans (internal port scans = reconnaissance)

Defense Measures

Prevent lateral movement - Hardening measures:

1. LAPS (Local Administrator Password Solution):
   Problem: All Windows workstations have the SAME local admin password
   → One compromised system → all systems compromised!

   Solution: Microsoft LAPS
   → Each local admin account receives a unique, random password
   → Password rotates automatically (default: every 30 days)
   → Password stored in AD object; only authorized users can read it
   → Windows LAPS (starting with Windows 11 22H2): built-in, no add-on!

   Implementation:
   # Enable Windows LAPS (PowerShell):
   Enable-WindowsOptionalFeature -Online -FeatureName &quot;LAPS&quot;
   # Or via GPO: Computer Configuration → Administrative Templates → Windows LAPS

   Impact: Pass-the-hash attacks using a local admin hash work ONLY on this specific host!

2. Protected Users Security Group:
   → Members: Domain Admins, Service Accounts, critical users
   → Prevents: NTLM authentication, RC4 Kerberos, credential caching
   → Kerberos-only, AES encryption enforced
   → Tickets: 4-hour TGT, max. 1-hour service tickets

   Implication for PtH: Without NTLM, no Pass-the-Hash for Protected Users!
   Consequence for Kerberoasting: RC4 disabled → AES only → much harder to crack!

   Configuration:
   Add-ADGroupMember -Identity &quot;Protected Users&quot; -Members &quot;Domain Admins&quot;

3. Credential Guard (Windows):
   → LSASS runs in an isolated virtualization environment (VBS)
   → Mimikatz cannot extract NTLM hashes from LSASS!
   → Requirement: UEFI Secure Boot + virtualization-based security

   GPO: Computer Configuration → Administrative Templates → System → Device Guard
       → &quot;Turn on virtualization-based security&quot;

4. Enforce SMB signing:
   → SMB signing prevents relay attacks (NTLM relay)
   → Without signing: An attacker can relay SMB connections → PtH without a hash!

   GPO:
   Computer Configuration → Windows Settings → Security Settings → Local Policies
   → &quot;Microsoft network server: Digitally sign communications (always)&quot; = ENABLED

5. Network segmentation (micro-segmentation):
   → Workstations MUST NOT communicate directly with other workstations!
   → Server segment: accessible only from admin jump hosts
   → East-West traffic control: every connection explicitly permitted

   Rule: Workstation → Workstation (SMB, WMI, RDP) = DENY
   Exception: only via jump server/PAW (Privileged Access Workstation)

6. Tiered Administration Model:
   Tier 0: Domain Controller, PKI, Azure AD Connect
           → Only Tier 0 accounts can log in here
   Tier 1: Servers (Member Servers, Clusters)
           → Tier 1 accounts, no Tier 0 accounts!
   Tier 2: Workstations, Endpoints
           → Standard user accounts

   Why: Admin account on workstation → Hash stolen → Only workstations accessible
   Without tiering: Workstation admin hash → Entire Active Directory!

7. Just-In-Time (JIT) Administration:
   → No permanent administrator rights!
   → Privileged Access Management (PAM): Rights granted on demand for a limited time
   → Microsoft: Privileged Identity Management (PIM) in Entra ID
   → CyberArk, BeyondTrust: Enterprise PAM

8. Deception Technology:
   → Honeypots and honeytokens on the internal network
   → Honeypot server: no one except attackers connects!
   → Honey credentials in password managers
   → Canary tokens: When accessed → Alert!
   → Lateral movement detected immediately when honeypot is accessed

9. EDR with behavior-based detection:
   □ LSASS dump detection (Mimikatz signature)
   □ Pass-the-hash detection via NTLM anomalies
   □ Unusual remote execution (WMI, WinRM from unknown sources)
   □ Token manipulation detection

10. Network Access Control (NAC):
    → Unregistered devices cannot access the internal network
    → Prevents: Rogue devices from serving as a springboard for lateral movement
    → MDM compliance: Compromised endpoint → VLAN isolation

Preventing lateral movement is one of the most important, yet also most complex, tasks in network security. Perfect protection is not possible—the goal is detection and mitigation: forcing the attacker to leave enough traces so that a well-configured SIEM detects them before they reach their target. AWARE7 assesses the lateral movement resilience of your infrastructure through Red Team exercises and provides concrete action plans.

Request a Red Team Assessment | Penetration Testing