Lateral movement is where most breaches either get caught or don't. Initial access is often noisy, final impact is obvious, but lateral movement sits in the middle where the signals are subtle, the attacker is using legitimate tools and credentials, and the difference between normal admin activity and an attacker moving through your environment can be genuinely difficult to distinguish.
These detection queries come from production environments at major Canadian financial institutions. They are built around behavioral anomaly detection rather than signature matching because attackers who use stolen credentials and built-in Windows tools generate almost no signatures. The only reliable way to catch them is to know what normal looks like and alert on deviations.
Understanding What You're Looking For
Lateral movement almost always involves one or more of these patterns: an account authenticating to a system it has no history of accessing, authentication volume spikes from a single source, use of remote execution tools like WMI, PSExec, or RDP from unusual sources, and service account activity that doesn't match the account's defined purpose.
The behavioral baseline is not optional. Without 30 days of historical data showing what normal authentication patterns look like for your accounts and systems, you'll generate either overwhelming false positive volume or you'll miss real activity entirely.
Run each query against 30 days of historical data first with no alerting. Document what fires. Anything that fires repeatedly from the same legitimate source gets added to an exclusion list. Only after that baselining process should you convert any of these to detection rules with alerting enabled.
This is the kind of hunt hypothesis Intelligence Pack subscribers get every Tuesday, with the baselining work already done.
Join — $14.99/moCrowdStrike LogScale: First-Time Host Authentication
This query identifies accounts authenticating to hosts they have no recorded history with in the past 30 days. It's one of the strongest lateral movement signals available because legitimate users and service accounts have consistent authentication patterns that change slowly over time.
#event_simpleName=UserLogon
| eval age = now() - timestamp
| where age < 86400000
| join(
{
#event_simpleName=UserLogon
| eval age = now() - timestamp
| where age > 86400000
| where age < 2592000000
| groupBy([UserName, ComputerName],
function=count(as=histCount))
},
field=[UserName, ComputerName],
mode=leftanti
)
| table @timestamp UserName ComputerName
| "sort" @timestamp desc
What the results tell you
- Any account in these results has authenticated to a host with zero history in the past 30 days
- Service accounts in the results are particularly significant because their authentication targets rarely change
- Domain admin accounts appearing here warrant immediate investigation regardless of time of day
- Cluster multiple results by source account to identify whether one account is touching many new hosts, which indicates active lateral movement
Microsoft Sentinel KQL: SMB Lateral Movement Detection
SMB-based lateral movement using tools like PSExec and manual net use commands generates distinctive patterns in authentication logs. This query surfaces accounts making SMB connections to multiple hosts within a short time window, which is characteristic of automated lateral movement tools.
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| summarize
TargetHosts = dcount(RemoteIP),
HostList = make_set(RemoteIP),
ConnectionCount = count()
by DeviceName, InitiatingProcessAccountName,
bin(Timestamp, 1h)
| where TargetHosts > 5
| join kind=inner (
DeviceNetworkEvents
| where Timestamp between (ago(30d) .. ago(1d))
| where RemotePort == 445
| summarize
BaselineHosts = dcount(RemoteIP)
by DeviceName, InitiatingProcessAccountName
) on DeviceName, InitiatingProcessAccountName
| where TargetHosts > BaselineHosts * 2
| project Timestamp, DeviceName,
InitiatingProcessAccountName,
TargetHosts, BaselineHosts,
HostList
| order by TargetHosts desc
Splunk SPL: RDP Authentication Anomaly
RDP is one of the most common lateral movement vectors in enterprise environments. This query detects accounts using RDP to access systems outside their normal authentication pattern, with a focus on off-hours activity which correlates strongly with attacker activity.
index=win_* (sourcetype="WinEventLog:Security")
EventCode=4624 Logon_Type=10
earliest=-30d latest=now
| eval hour=strftime(_time, "%H")
| eval is_offhours=if(hour < "07" OR hour > "19", 1, 0)
| stats
count as total_rdp,
sum(is_offhours) as offhours_rdp,
dc(ComputerName) as unique_targets,
values(ComputerName) as target_list
by Account_Name
| where offhours_rdp > 0
| eval offhours_pct=round(offhours_rdp/total_rdp*100, 1)
| where unique_targets > 3 OR offhours_pct > 50
| sort -offhours_rdp
| table Account_Name total_rdp offhours_rdp
offhours_pct unique_targets target_list
High priority results
- Standard user accounts with RDP access to more than 3 unique targets are worth investigating regardless of timing
- Any account where more than 50% of RDP authentications happen outside business hours deserves closer review
- Service accounts in these results are almost always either compromised or misconfigured
Detecting WMI-Based Lateral Movement
WMI remote execution is a favourite lateral movement technique because it uses a legitimate Windows service, generates less obvious logs than PSExec, and is available on every Windows system by default. Detection focuses on the process creation events generated by WMI on the target system.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName =~ "WmiPrvSE.exe"
| where FileName !in~ (
"WmiPrvSE.exe", "unsecapp.exe",
"msiexec.exe", "scrcons.exe"
)
| where ProcessCommandLine !contains "\\REGISTRY\\"
| project Timestamp, DeviceName, AccountName,
FileName, ProcessCommandLine,
InitiatingProcessCommandLine
| order by Timestamp desc
WMI spawning PowerShell, cmd, or scripting engines is particularly suspicious. In most enterprise environments, WMI should spawn very few non-WMI processes. Baseline what yours looks like before alerting.
Pass-the-Hash Detection in Sentinel
Pass-the-hash attacks use stolen NTLM hashes to authenticate without knowing the plaintext password. The distinctive pattern is a network logon using NTLM authentication from a source where the account would not normally use NTLM, particularly when combined with first-time host access.
SecurityEvent
| where TimeGenerated > ago(30d)
| where EventID == 4624
| where LogonType == 3
| where AuthenticationPackageName =~ "NTLM"
| where WorkstationName != ComputerName
| where AccountName !endswith "$"
| summarize
NTLMLogins = count(),
TargetSystems = dcount(ComputerName),
SourceSystems = dcount(WorkstationName),
TargetList = make_set(ComputerName)
by AccountName, bin(TimeGenerated, 1h)
| where NTLMLogins > 10 OR TargetSystems > 3
| order by NTLMLogins desc
NTLM authentication is common in many environments for legitimate reasons. This query will generate false positives in environments that haven't moved fully to Kerberos. Tune aggressively against your baseline before enabling alerting. The combination of high volume and multiple target systems is the real signal.
Building a Lateral Movement Detection Stack
No single query catches all lateral movement. The approach that works in practice is layering multiple detection points and correlating them. An account that shows up in the first-time host authentication query, the SMB volume anomaly query, and the off-hours RDP query all within the same 24-hour window is a near-certain active intrusion regardless of what any individual query shows in isolation.
The investigation flow when lateral movement is confirmed: identify the source of the compromised credential, determine how many systems the account accessed and what data was available on those systems, check for any new scheduled tasks, services, or registry persistence mechanisms created during the access window, and contain before completing the full investigation. The attacker is still moving while you investigate.
Production detection rule, real incident case study, hunt hypothesis with query, and a career tip, every Tuesday. Plus monthly Office Hours, private Discord, and a growing detection archive. First 25 subscribers lock in $14.99/month for life.
Join Intelligence Pack — $14.99/month IR Runbook Bundle — $49Cancel anytime. 30-day money back guarantee.