Lateral Movement Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Okta Multiple Failed Requests to Access Applications	Okta	Web Session Cookie Cloud Service Dashboard	Hunting	Okta Account Takeover	2025-05-02
Splunk App for Lookup File Editing RCE via User XSLT		Exploitation of Remote Services	Hunting	Splunk Vulnerabilities	2025-05-02
Splunk Code Injection via custom dashboard leading to RCE		Exploitation of Remote Services	Hunting	Splunk Vulnerabilities	2025-05-02
Splunk RCE PDFgen Render	Splunk	Exploitation of Remote Services	TTP	Splunk Vulnerabilities	2025-05-02
Splunk RCE Through Arbitrary File Write to Windows System Root	Splunk	Exploitation of Remote Services	Hunting	Splunk Vulnerabilities	2025-05-02
Splunk RCE via User XSLT		Exploitation of Remote Services	Hunting	Splunk Vulnerabilities	2025-05-02
AWS Bedrock Invoke Model Access Denied	AWS CloudTrail	Valid Accounts Use Alternate Authentication Material	TTP	AWS Bedrock Security	2025-05-02
Microsoft Intune Device Health Scripts	Azure Monitor Activity	Software Deployment Tools Cloud Services Indirect Command Execution Ingress Tool Transfer	Hunting	Azure Active Directory Account Takeover	2025-05-02
Microsoft Intune DeviceManagementConfigurationPolicies	Azure Monitor Activity	Software Deployment Tools Domain or Tenant Policy Modification Cloud Services Disable or Modify Tools Disable or Modify System Firewall	Hunting	Azure Active Directory Account Takeover	2025-05-02
Microsoft Intune Manual Device Management	Azure Monitor Activity	Cloud Services Software Deployment Tools System Shutdown/Reboot	Hunting	Azure Active Directory Account Takeover	2025-05-02
Microsoft Intune Mobile Apps	Azure Monitor Activity	Software Deployment Tools Cloud Services Indirect Command Execution Ingress Tool Transfer	Hunting	Azure Active Directory Account Takeover	2025-06-10
Active Directory Lateral Movement Identified		Exploitation of Remote Services	Correlation	Active Directory Lateral Movement	2025-05-02
Allow Inbound Traffic By Firewall Rule Registry	Sysmon EventID 13	Remote Desktop Protocol	TTP	Azorult, Medusa Ransomware, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse	2025-05-02
Allow Inbound Traffic In Firewall Rule	Powershell Script Block Logging 4104	Remote Desktop Protocol	TTP	Prohibited Traffic Allowed or Protocol Mismatch	2025-05-02
Detect Computer Changed with Anonymous Account	Windows Event Log Security 4624, Windows Event Log Security 4742	Exploitation of Remote Services	Hunting	Detect Zerologon Attack	2025-05-02
Detect PsExec With accepteula Flag	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	SMB/Windows Admin Shares	TTP	Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, Cactus Ransomware, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Medusa Ransomware, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Seashell Blizzard, VanHelsing Ransomware, Volt Typhoon	2025-05-02
Detection of tools built by NirSoft	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Software Deployment Tools	Anomaly	Emotet Malware DHS Report TA18-201A	2025-05-02
Enable RDP In Other Port Number	Sysmon EventID 13	Remote Services	TTP	Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse	2025-05-02
Executable File Written in Administrative SMB Share	Windows Event Log Security 5145	SMB/Windows Admin Shares	TTP	Active Directory Lateral Movement, BlackSuit Ransomware, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot, VanHelsing Ransomware	2025-05-02
Impacket Lateral Movement Commandline Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service	TTP	Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate	2025-05-02
Impacket Lateral Movement smbexec CommandLine Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service	TTP	Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate	2025-05-02
Impacket Lateral Movement WMIExec Commandline Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service	TTP	Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate	2025-05-02
Interactive Session on Remote Endpoint with PowerShell	Powershell Script Block Logging 4104	Windows Remote Management	TTP	Active Directory Lateral Movement	2025-05-02
Kerberos TGT Request Using RC4 Encryption	Windows Event Log Security 4768	Use Alternate Authentication Material	TTP	Active Directory Kerberos Attacks	2025-05-02
Linux SSH Remote Services Script Execute	Sysmon for Linux EventID 1	SSH	TTP	Linux Living Off The Land	2025-05-02
Mimikatz PassTheTicket CommandLine Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Pass the Ticket	TTP	Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools	2025-05-02
Mmc LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Distributed Component Object Model MMC	TTP	Active Directory Lateral Movement, Living Off The Land, Water Gamayun	2025-05-02
Possible Lateral Movement PowerShell Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Distributed Component Object Model Windows Remote Management Windows Management Instrumentation Scheduled Task PowerShell MMC Windows Service	TTP	Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks	2025-05-02
Powershell Remote Services Add TrustedHost	Powershell Script Block Logging 4104	Windows Remote Management	TTP	DarkGate Malware	2025-05-02
Remote Desktop Process Running On System	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote Desktop Protocol	Hunting	Active Directory Lateral Movement, Hidden Cobra Malware	2025-05-02
Remote Process Instantiation via DCOM and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Distributed Component Object Model	TTP	Active Directory Lateral Movement, Compromised Windows Host	2025-05-02
Remote Process Instantiation via DCOM and PowerShell Script Block	Powershell Script Block Logging 4104	Distributed Component Object Model	TTP	Active Directory Lateral Movement	2025-05-02
Remote Process Instantiation via WinRM and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Remote Management	TTP	Active Directory Lateral Movement	2025-05-02
Remote Process Instantiation via WinRM and PowerShell Script Block	Powershell Script Block Logging 4104	Windows Remote Management	TTP	Active Directory Lateral Movement	2025-05-02
Remote Process Instantiation via WinRM and Winrs	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Remote Management	TTP	Active Directory Lateral Movement	2025-05-02
Rubeus Command Line Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Pass the Ticket Kerberoasting AS-REP Roasting	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A	2025-05-02
Rubeus Kerberos Ticket Exports Through Winlogon Access	Sysmon EventID 10	Pass the Ticket	TTP	Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A	2025-05-02
Unknown Process Using The Kerberos Protocol	Sysmon EventID 1, Sysmon EventID 3	Use Alternate Authentication Material	TTP	Active Directory Kerberos Attacks, BlackSuit Ransomware	2025-05-02
Windows AD Suspicious Attribute Modification	Windows Event Log Security 5136	Windows File and Directory Permissions Modification Use Alternate Authentication Material	TTP	Sneaky Active Directory Persistence Tricks	2025-05-02
Windows MSTSC RDP Commandline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote Desktop Protocol	Anomaly	Medusa Ransomware	2025-05-02
Windows Process Executed From Removable Media	Sysmon EventID 1, Sysmon EventID 13	Hardware Additions Data from Removable Media Replication Through Removable Media	Anomaly	Data Protection	2025-06-10
Windows Process With NetExec Command Line Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Pass the Ticket Kerberoasting AS-REP Roasting	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation	2025-05-02
Windows Protocol Tunneling with Plink	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Protocol Tunneling SSH	TTP	CISA AA22-257A	2025-05-02
Windows RDP Connection Successful	Windows Event Log RemoteConnectionManager 1149	RDP Hijacking	Hunting	Active Directory Lateral Movement, BlackByte Ransomware	2025-05-02
Windows RDP File Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Spearphishing Attachment Remote Desktop Protocol	TTP	Spearphishing Attachments	2025-05-02
Windows Remote Host Computer Management Access	Sysmon EventID 1, Windows Event Log Security 4688	Windows Remote Management	Anomaly	Medusa Ransomware	2025-05-02
Windows Remote Management Execute Shell	Sysmon EventID 1, Windows Event Log Security 4688	Windows Remote Management	Anomaly	Crypto Stealer	2025-05-02
Windows Remote Service Rdpwinst Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote Desktop Protocol	TTP	Azorult, Compromised Windows Host	2025-05-02
Windows Remote Services Allow Rdp In Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote Desktop Protocol	Anomaly	Azorult	2025-05-02
Windows Remote Services Allow Remote Assistance	Sysmon EventID 13	Remote Desktop Protocol	Anomaly	Azorult	2025-05-02
Windows Remote Services Rdp Enable	Sysmon EventID 13	Remote Desktop Protocol	TTP	Azorult, BlackSuit Ransomware, Medusa Ransomware	2025-05-02
Windows Replication Through Removable Media	Sysmon EventID 11	Replication Through Removable Media	TTP	Chaos Ransomware, China-Nexus Threat Activity, Derusbi, NjRAT, PlugX, Salt Typhoon	2025-05-06
Windows Service Create with Tscon	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Service RDP Hijacking	TTP	Active Directory Lateral Movement, Compromised Windows Host	2025-05-02
Windows Special Privileged Logon On Multiple Hosts	Windows Event Log Security 4672	Account Discovery SMB/Windows Admin Shares Network Share Discovery	TTP	Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host	2025-05-02
Windows Steal Authentication Certificates - ESC1 Authentication	Windows Event Log Security 4768, Windows Event Log Security 4887	Steal or Forge Authentication Certificates Use Alternate Authentication Material	TTP	Compromised Windows Host, Windows Certificate Services	2025-05-02
Windows USBSTOR Registry Key Modification	Sysmon EventID 12, Sysmon EventID 13	Hardware Additions Data from Removable Media Replication Through Removable Media	Anomaly	Data Protection	2025-05-02
Windows WPDBusEnum Registry Key Modification	Sysmon EventID 12, Sysmon EventID 13	Hardware Additions Data from Removable Media Replication Through Removable Media	Anomaly	Data Protection	2025-05-02
Wsmprovhost LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Windows Remote Management	TTP	Active Directory Lateral Movement, CISA AA24-241A	2025-05-02
Cisco Secure Firewall - Communication Over Suspicious Ports	Cisco Secure Firewall Threat Defense Connection Event	Remote Services Process Injection PowerShell Ingress Tool Transfer Remote Access Tools Non-Standard Port	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2025-05-02
Cisco Secure Firewall - Lumma Stealer Activity	Cisco Secure Firewall Threat Defense Intrusion Event	Exploit Public-Facing Application Exploitation of Remote Services Obfuscated Files or Information User Execution	TTP	Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer	2025-04-28
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity	Cisco Secure Firewall Threat Defense Intrusion Event	Exploit Public-Facing Application Exploitation of Remote Services PowerShell LSASS Memory	TTP	Cisco Secure Firewall Threat Defense Analytics	2025-04-14
Remote Desktop Network Traffic	Zeek Conn	Remote Desktop Protocol	Anomaly	Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware	2025-05-02
SMB Traffic Spike		SMB/Windows Admin Shares	Anomaly	DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware	2025-05-02
SMB Traffic Spike - MLTK		SMB/Windows Admin Shares	Anomaly	DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware	2025-05-02
VMWare Aria Operations Exploit Attempt	Palo Alto Network Threat	External Remote Services Exploit Public-Facing Application Exploitation of Remote Services Exploitation for Privilege Escalation	TTP	VMware Aria Operations vRealize CVE-2023-20887	2025-05-02