After initial compromise, attackers need to move laterally through an environment to reach their ultimate objectives — domain controllers, backup systems, financial data, intellectual property. Lateral movement is where the difference between a contained incident and a catastrophic breach is determined. It is also where the gap between organizations with mature detection capabilities and those without is most apparent. The median time for an attacker to move laterally from initial compromise to a second host has decreased to under two hours according to CrowdStrike's 2024 Global Threat Report. Detection programs that rely on perimeter alerts and do not monitor internal network behavior are blind to this movement entirely.
This guide covers what lateral movement looks like in network traffic and endpoint telemetry, the detection rules and analytics that identify it, the tools used to collect and correlate this data, and the MITRE ATT&CK techniques that define the threat model for your detection engineering program.
What Lateral Movement Looks Like in Network Traffic
SMB Connections to New Targets
Server Message Block (SMB) is the Windows file sharing and remote administration protocol operating on TCP 445. In a lateral movement scenario, an attacker who has compromised a workstation uses SMB to authenticate to other systems, execute commands via PsExec (which drops a service binary over SMB), or access shared resources. Detection indicators: a workstation (rather than a server) initiating SMB connections to a large number of distinct hosts in a short time window, SMB connections from a workstation to hosts it has never communicated with before, and SMB authentication failures (indicative of credential spraying or pass-the-hash attempts).
WMI and Remote PowerShell
Windows Management Instrumentation (WMI) and PowerShell Remoting (WinRM on TCP 5985/5986) are legitimate Windows remote administration protocols that attackers use for lateral movement because they are built into Windows and blend with administrative traffic. Detection indicators: WMI connections from endpoints (not servers or known management systems), PowerShell remoting connections from non-administrative workstations, and process execution via WMI on remote hosts (visible in Windows Event Log 4688 with parent process wmiprvse.exe).
RDP to New Targets
Remote Desktop Protocol (RDP, TCP 3389) is commonly used for lateral movement because valid credentials plus network access are sufficient to establish an interactive session. Detection indicators: RDP connections from workstations to other workstations (lateral desktop access), RDP connections to servers from hosts that have not historically accessed those servers, and failed RDP authentication attempts (indicative of credential spraying).
Kerberos Ticket Anomalies
Kerberos is the primary authentication protocol in Active Directory environments. Anomalous Kerberos activity is a high-fidelity indicator of credential attacks. Detection indicators: high volumes of Kerberos TGS requests from a single host (potential Kerberoasting — attackers request service tickets for all service accounts to crack offline), Kerberos pre-authentication failures for large numbers of accounts in sequence (AS-REP Roasting or password spraying), TGT requests for accounts that are members of Protected Users (these accounts do not require TGTs in many contexts), and golden ticket indicators (TGTs with unusually long lifetimes or issued by unexpected domain controllers).
Beaconing Detection: Timing Analysis
Command-and-control malware typically communicates with its C2 infrastructure on a regular schedule — beaconing to receive commands, report status, or exfiltrate data. This regularity is detectable through timing analysis of outbound network connections.
Detection methodology: for each source-destination IP pair in NetFlow or proxy logs, calculate the inter-arrival time between connections. Regular beaconing produces low jitter (variance) around a mean interval. Human browsing behavior produces high jitter — humans do not visit websites on precise schedules. An outbound connection to the same external IP with inter-arrival times of 60 ± 5 seconds over multiple hours is strong evidence of automated beaconing. Tools including Zeek's connection log and commercial EDR platforms perform this analysis automatically.
Detection Tools
Zeek (formerly Bro)
Zeek is an open-source network security monitoring framework that generates structured logs of network activity — connection logs, DNS logs, HTTP logs, SSL/TLS logs, Kerberos logs, SMB logs, and more. Zeek does not produce alerts; it produces rich, structured network telemetry that security analysts and SIEM platforms can query to investigate lateral movement patterns. Zeek scripts can implement custom detection logic including beaconing detection, long connection detection, and protocol anomaly detection.
Suricata
Suricata is an open-source IDS/IPS engine that uses signature-based and rule-based detection to generate alerts on network traffic. The Emerging Threats rule set (both open and commercial) includes lateral movement detection rules covering known exploit frameworks, Cobalt Strike beaconing patterns, and common credential attack patterns. Suricata integrated with the Elastic Stack provides full PCAP retention for forensic investigation of detected alerts.
Windows Event Forwarding
Windows Event Forwarding (WEF) centralizes security-relevant Windows event logs from endpoints and servers to a Windows Event Collector, from which they can be forwarded to a SIEM. Critical event IDs for lateral movement detection include: 4624/4625 (logon success/failure), 4648 (explicit credential logon — pass-the-hash indicator), 4672 (special privileges assigned to new logon), 4688 (process creation — requires command line auditing), 7045/7040 (service installation — PsExec indicator), and 5145 (network share access).
MITRE ATT&CK Lateral Movement Techniques
The MITRE ATT&CK framework catalogs adversary behavior by tactic and technique. The Lateral Movement tactic (TA0008) includes the following techniques most commonly encountered in enterprise incident response:
- T1021.001 — Remote Desktop Protocol: Attackers use stolen credentials to authenticate via RDP to systems throughout the environment. Detection: monitor for RDP connections from unexpected sources, failed authentication attempts, and RDP connections outside business hours.
- T1021.002 — SMB/Windows Admin Shares: Attackers use C$ and ADMIN$ administrative shares to copy tools and execute commands via PsExec. Detection: monitor for SMB connections to administrative shares from non-administrative hosts, service creation events (Event ID 7045) following SMB connections.
- T1021.006 — Windows Remote Management: WinRM used for lateral movement via PowerShell remoting. Detection: monitor for WinRM connections from non-management hosts, PowerShell transcript logs for command execution via remoting.
- T1550.002 — Pass-the-Hash: NTLM authentication using captured password hashes without knowledge of the plaintext password. Detection: Event ID 4624 with logon type 3 (network) and authentication package NTLM from unexpected hosts; high volumes of NTLM authentications from a single host.
- T1558.003 — Kerberoasting: Requesting Kerberos service tickets for service accounts to crack offline. Detection: high volume of TGS requests (Event ID 4769) for service accounts with RC4 encryption (etype 17 or 23) from a single source within a short time window.
Building detection coverage for these techniques requires both endpoint telemetry (Windows Event Logs, EDR) and network telemetry (NetFlow, Zeek logs). Neither alone provides complete coverage — pass-the-hash is best detected through endpoint authentication event correlation, while beaconing is best detected through network timing analysis. A mature detection program combines both sources in a SIEM with correlation rules that surface multi-signal indicators.
Fortress MSSP network penetration tests simulate lateral movement through enterprise networks using these exact techniques, generating the empirical evidence needed to validate whether your detection program would catch a real attacker moving through your environment. Our managed infrastructure services include detection engineering and SIEM integration to operationalize lateral movement detection. Contact us to assess your lateral movement detection capabilities.