Threat Hunting for Lateral Movement in Windows Environments

Overview

Lateral movement is a critical phase in most attack chains. Once an attacker gains initial access, they need to move through the network to reach valuable targets. This write-up covers hunting techniques for common lateral movement methods.

Key Data Sources

Windows Security Event Log: Logon events (4624, 4625), privilege use

Sysmon: Process creation, network connections

Windows Remote Management: WinRM and WMI activity

RDP Logs: Terminal Services events

Hunting Queries

PsExec Detection

PsExec creates a named pipe and service for remote execution:

event.code: 1 AND 
process.name: "PSEXESVC.exe" OR
(process.name: "services.exe" AND process.command_line: *PSEXESVC*)

WMI Remote Execution

event.code: 1 AND 
process.parent.name: "WmiPrvSE.exe" AND
NOT process.name: ("WmiPrvSE.exe", "WmiApSrv.exe")

Suspicious RDP Activity

event.code: 4624 AND 
winlog.event_data.LogonType: 10 AND
source.ip: (10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)

Hunting Workflow

Baseline normal activity: Understand what legitimate admin tools look like

Identify anomalies: Focus on workstation-to-workstation connections

Correlate with other events: Look for preceding reconnaissance or following data access

Timeline analysis: Build attack narrative

Indicators to Escalate

Service installation on multiple hosts in short timeframe

Admin tool usage from non-admin workstations

Lateral movement outside business hours

Connections to sensitive servers from unexpected sources