Lateral movement is where most breaches either get caught or don't. Initial access is often noisy, final impact is obvious, but lateral movement sits in the middle where the signals are subtle, the attacker is using legitimate tools and credentials, and the difference between normal admin activity and an attacker moving through your environment can be genuinely difficult to distinguish.

These detection queries come from production environments at major Canadian financial institutions. They are built around behavioral anomaly detection rather than signature matching because attackers who use stolen credentials and built-in Windows tools generate almost no signatures. The only reliable way to catch them is to know what normal looks like and alert on deviations.

Understanding What You're Looking For

Lateral movement almost always involves one or more of these patterns: an account authenticating to a system it has no history of accessing, authentication volume spikes from a single source, use of remote execution tools like WMI, PSExec, or RDP from unusual sources, and service account activity that doesn't match the account's defined purpose.

The behavioral baseline is not optional. Without 30 days of historical data showing what normal authentication patterns look like for your accounts and systems, you'll generate either overwhelming false positive volume or you'll miss real activity entirely.

Before You Run These Queries

Run each query against 30 days of historical data first with no alerting. Document what fires. Anything that fires repeatedly from the same legitimate source gets added to an exclusion list. Only after that baselining process should you convert any of these to detection rules with alerting enabled.

This is the kind of hunt hypothesis Intelligence Pack subscribers get every Tuesday, with the baselining work already done.

Join — $14.99/mo

CrowdStrike LogScale: First-Time Host Authentication

This query identifies accounts authenticating to hosts they have no recorded history with in the past 30 days. It's one of the strongest lateral movement signals available because legitimate users and service accounts have consistent authentication patterns that change slowly over time.

#event_simpleName=UserLogon
| eval age = now() - timestamp
| where age < 86400000
| join(
    {
      #event_simpleName=UserLogon
      | eval age = now() - timestamp
      | where age > 86400000
      | where age < 2592000000
      | groupBy([UserName, ComputerName],
          function=count(as=histCount))
    },
    field=[UserName, ComputerName],
    mode=leftanti
  )
| table @timestamp UserName ComputerName
| "sort" @timestamp desc

What the results tell you

Microsoft Sentinel KQL: SMB Lateral Movement Detection

SMB-based lateral movement using tools like PSExec and manual net use commands generates distinctive patterns in authentication logs. This query surfaces accounts making SMB connections to multiple hosts within a short time window, which is characteristic of automated lateral movement tools.

DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| summarize
    TargetHosts = dcount(RemoteIP),
    HostList = make_set(RemoteIP),
    ConnectionCount = count()
    by DeviceName, InitiatingProcessAccountName,
       bin(Timestamp, 1h)
| where TargetHosts > 5
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp between (ago(30d) .. ago(1d))
    | where RemotePort == 445
    | summarize
        BaselineHosts = dcount(RemoteIP)
        by DeviceName, InitiatingProcessAccountName
    ) on DeviceName, InitiatingProcessAccountName
| where TargetHosts > BaselineHosts * 2
| project Timestamp, DeviceName,
    InitiatingProcessAccountName,
    TargetHosts, BaselineHosts,
    HostList
| order by TargetHosts desc

Splunk SPL: RDP Authentication Anomaly

RDP is one of the most common lateral movement vectors in enterprise environments. This query detects accounts using RDP to access systems outside their normal authentication pattern, with a focus on off-hours activity which correlates strongly with attacker activity.

index=win_* (sourcetype="WinEventLog:Security")
EventCode=4624 Logon_Type=10
earliest=-30d latest=now
| eval hour=strftime(_time, "%H")
| eval is_offhours=if(hour < "07" OR hour > "19", 1, 0)
| stats
    count as total_rdp,
    sum(is_offhours) as offhours_rdp,
    dc(ComputerName) as unique_targets,
    values(ComputerName) as target_list
    by Account_Name
| where offhours_rdp > 0
| eval offhours_pct=round(offhours_rdp/total_rdp*100, 1)
| where unique_targets > 3 OR offhours_pct > 50
| sort -offhours_rdp
| table Account_Name total_rdp offhours_rdp
    offhours_pct unique_targets target_list

High priority results

Detecting WMI-Based Lateral Movement

WMI remote execution is a favourite lateral movement technique because it uses a legitimate Windows service, generates less obvious logs than PSExec, and is available on every Windows system by default. Detection focuses on the process creation events generated by WMI on the target system.

DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName =~ "WmiPrvSE.exe"
| where FileName !in~ (
    "WmiPrvSE.exe", "unsecapp.exe",
    "msiexec.exe", "scrcons.exe"
  )
| where ProcessCommandLine !contains "\\REGISTRY\\"
| project Timestamp, DeviceName, AccountName,
    FileName, ProcessCommandLine,
    InitiatingProcessCommandLine
| order by Timestamp desc

WMI spawning PowerShell, cmd, or scripting engines is particularly suspicious. In most enterprise environments, WMI should spawn very few non-WMI processes. Baseline what yours looks like before alerting.

Pass-the-Hash Detection in Sentinel

Pass-the-hash attacks use stolen NTLM hashes to authenticate without knowing the plaintext password. The distinctive pattern is a network logon using NTLM authentication from a source where the account would not normally use NTLM, particularly when combined with first-time host access.

SecurityEvent
| where TimeGenerated > ago(30d)
| where EventID == 4624
| where LogonType == 3
| where AuthenticationPackageName =~ "NTLM"
| where WorkstationName != ComputerName
| where AccountName !endswith "$"
| summarize
    NTLMLogins = count(),
    TargetSystems = dcount(ComputerName),
    SourceSystems = dcount(WorkstationName),
    TargetList = make_set(ComputerName)
    by AccountName, bin(TimeGenerated, 1h)
| where NTLMLogins > 10 OR TargetSystems > 3
| order by NTLMLogins desc
Important Context

NTLM authentication is common in many environments for legitimate reasons. This query will generate false positives in environments that haven't moved fully to Kerberos. Tune aggressively against your baseline before enabling alerting. The combination of high volume and multiple target systems is the real signal.

Building a Lateral Movement Detection Stack

No single query catches all lateral movement. The approach that works in practice is layering multiple detection points and correlating them. An account that shows up in the first-time host authentication query, the SMB volume anomaly query, and the off-hours RDP query all within the same 24-hour window is a near-certain active intrusion regardless of what any individual query shows in isolation.

The investigation flow when lateral movement is confirmed: identify the source of the compromised credential, determine how many systems the account accessed and what data was available on those systems, check for any new scheduled tasks, services, or registry persistence mechanisms created during the access window, and contain before completing the full investigation. The attacker is still moving while you investigate.

Intelligence Pack
A new hunt hypothesis like this every Tuesday

Production detection rule, real incident case study, hunt hypothesis with query, and a career tip, every Tuesday. Plus monthly Office Hours, private Discord, and a growing detection archive. First 25 subscribers lock in $14.99/month for life.

Join Intelligence Pack — $14.99/month IR Runbook Bundle — $49

Cancel anytime. 30-day money back guarantee.