GitHub Repo

Lateral Movement Detections

Name Data Source Technique Type Analytic Story Date
Splunk Code Injection via custom dashboard leading to RCE T1210 Hunting Splunk Vulnerabilities 2026-05-14
Splunk RCE PDFgen Render Splunk T1210 TTP Splunk Vulnerabilities 2026-05-14
Splunk RCE Through Arbitrary File Write to Windows System Root Splunk T1210 Hunting Splunk Vulnerabilities 2026-05-14
Splunk App for Lookup File Editing RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2026-05-14
Splunk RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2026-05-14
Windows Excel Spawning Microsoft Project Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.003 Anomaly PathWiper 2026-05-13
Windows AD Suspicious Attribute Modification Windows Event Log Security 5136 T1222.001 T1550 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows RDP Bitmap Cache File Creation Sysmon EventID 11 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Remote Management Execute Shell Sysmon EventID 1, Windows Event Log Security 4688 T1021.006 Anomaly Crypto Stealer 2026-05-13
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Gozi Malware, Graceful Wipe Out Attack, Storm-0501 Ransomware, Compromised Windows Host, CISA AA22-277A, Volt Typhoon 2026-05-13
Windows Azure PowerShell Module Installation Via PowerShell Script Powershell Script Block Logging 4104 T1021.007 T1069.003 T1078 T1098 T1136.003 Anomaly Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
Remote Process Instantiation via WinRM and Winrs CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows Default RDP File Creation By Non MSTSC Process Sysmon EventID 11, Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Enable RDP In Other Port Number Sysmon EventID 13 T1021 TTP Windows Registry Abuse, Windows RDP Artifacts and Defense Evasion, Prohibited Traffic Allowed or Protocol Mismatch, Interlock Ransomware 2026-05-13
Windows SpeechRuntime COM Hijacking DLL Load Sysmon EventID 7 T1021.003 TTP Scattered Lapsus$ Hunters, Active Directory Lateral Movement, Compromised Windows Host 2026-05-13
Windows Process Execution From RDP Share CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 T1059 T1105 Anomaly Hidden Cobra Malware 2026-05-13
Linux SSH Remote Services Script Execute Sysmon for Linux EventID 1 T1021.004 TTP Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Replication Through Removable Media Sysmon EventID 11 T1091 TTP NjRAT, Derusbi, China-Nexus Threat Activity, Salt Typhoon, Chaos Ransomware, APT37 Rustonotto and FadeStealer, PlugX 2026-05-13
Rubeus Kerberos Ticket Exports Through Winlogon Access Sysmon EventID 10 T1550.003 TTP ZOVWiper, CISA AA23-347A, Scattered Lapsus$ Hunters, BlackSuit Ransomware, Active Directory Kerberos Attacks 2026-05-13
Windows Default Rdp File Unhidden Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows RDP Server Registry Entry Created Sysmon EventID 13 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows RDP Client Launched with Admin Session Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Graceful Wipe Out Attack, Compromised Windows Host, CISA AA22-277A, Volt Typhoon 2026-05-13
Rubeus Command Line Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1550.003 T1558.003 T1558.004 TTP ZOVWiper, CISA AA23-347A, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, BlackSuit Ransomware, Active Directory Kerberos Attacks 2026-05-13
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Gozi Malware, Graceful Wipe Out Attack, Storm-0501 Ransomware, Compromised Windows Host, CISA AA22-277A, Volt Typhoon 2026-05-13
Windows Remote Services Allow Rdp In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Azorult 2026-05-13
Windows Steal Authentication Certificates - ESC1 Authentication Windows Event Log Security 4887, Windows Event Log Security 4768 T1550 T1649 TTP Compromised Windows Host, Windows Certificate Services 2026-05-13
Remote Process Instantiation via DCOM and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.003 TTP Active Directory Lateral Movement, Compromised Windows Host 2026-05-13
Windows Process Executed From Removable Media Sysmon EventID 13, Sysmon EventID 1 T1025 T1091 T1200 Anomaly APT37 Rustonotto and FadeStealer, Data Protection 2026-05-13
Windows Suspicious Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 TTP DarkSide Ransomware, Cobalt Strike, Remote Monitoring and Management Software, Hellcat Ransomware, Gozi Malware, LockBit Ransomware, Graceful Wipe Out Attack, Trickbot, APT37 Rustonotto and FadeStealer, Meterpreter, Brute Ratel C4, Tuoni, BlackByte Ransomware 2026-05-13
Mmc LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.003 T1218.014 TTP Living Off The Land, XML Runner Loader, Water Gamayun, Active Directory Lateral Movement 2026-05-13
Detect Computer Changed with Anonymous Account Windows Event Log Security 4742 T1210 Hunting Detect Zerologon Attack 2026-05-13
Windows RDP Login Session Was Established Windows Event Log Security 4624 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters 2026-05-13
Allow Inbound Traffic By Firewall Rule Registry Sysmon EventID 13 T1021.001 TTP Prohibited Traffic Allowed or Protocol Mismatch, NjRAT, Azorult, Windows Registry Abuse, Medusa Ransomware, PlugX 2026-05-13
Windows Special Privileged Logon On Multiple Hosts Windows Event Log Security 4672 T1021.002 T1087 T1135 TTP Active Directory Privilege Escalation, Active Directory Lateral Movement, Compromised Windows Host 2026-05-13
Windows SpeechRuntime Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.003 TTP Active Directory Lateral Movement, Compromised Windows Host 2026-05-13
Mimikatz PassTheTicket CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1550.003 TTP CISA AA23-347A, CISA AA22-320A, Scattered Lapsus$ Hunters, Sandworm Tools, Active Directory Kerberos Attacks 2026-05-13
Windows WPDBusEnum Registry Key Modification Sysmon EventID 13, Sysmon EventID 12 T1025 T1091 T1200 Anomaly APT37 Rustonotto and FadeStealer, Data Protection 2026-05-13
Detect PsExec With accepteula Flag CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 TTP HAFNIUM Group, DarkGate Malware, Seashell Blizzard, Active Directory Lateral Movement, DarkSide Ransomware, Volt Typhoon, Sandworm Tools, SamSam Ransomware, Storm-0501 Ransomware, Rhysida Ransomware, Cactus Ransomware, VanHelsing Ransomware, DHS Report TA18-074A, CISA AA22-320A, Medusa Ransomware, BlackByte Ransomware, IcedID 2026-05-13
Windows Remote Services Allow Remote Assistance Sysmon EventID 13 T1021.001 Anomaly Azorult 2026-05-13
Windows Remote Host Computer Management Access Sysmon EventID 1, Windows Event Log Security 4688 T1021.006 Anomaly Medusa Ransomware 2026-05-13
Windows Remote Services Rdp Enable Sysmon EventID 13 T1021.001 TTP Windows RDP Artifacts and Defense Evasion, Medusa Ransomware, BlackSuit Ransomware, Azorult 2026-05-13
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003 Anomaly Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Active Directory Lateral Movement, Data Destruction, Malicious PowerShell, CISA AA24-241A, Hermetic Wiper 2026-05-13
Active Directory Lateral Movement Identified T1210 Correlation Active Directory Lateral Movement 2026-05-13
Windows Process With NetExec Command Line Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1550.003 T1558.003 T1558.004 TTP Active Directory Privilege Escalation, Active Directory Kerberos Attacks 2026-05-13
Detection of tools built by NirSoft CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1072 Anomaly Emotet Malware DHS Report TA18-201A 2026-05-13
Interactive Session on Remote Endpoint with PowerShell Powershell Script Block Logging 4104 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows RDP Connection Successful Windows Event Log RemoteConnectionManager 1149 T1563.002 Hunting Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, NetSupport RMM Tool Abuse, Interlock Ransomware, BlackByte Ransomware 2026-05-13
Allow Inbound Traffic In Firewall Rule Powershell Script Block Logging 4104 T1021.001 TTP Prohibited Traffic Allowed or Protocol Mismatch, NetSupport RMM Tool Abuse 2026-05-13
Kerberos TGT Request Using RC4 Encryption Windows Event Log Security 4768 T1550 TTP Scattered Lapsus$ Hunters, Active Directory Kerberos Attacks 2026-05-13
Remote Desktop Process Running On System CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 Hunting Windows RDP Artifacts and Defense Evasion, Hidden Cobra Malware, Active Directory Lateral Movement 2026-05-13
Windows Suspicious C2 Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 TTP DarkSide Ransomware, Cobalt Strike, Remote Monitoring and Management Software, Hellcat Ransomware, Gozi Malware, LockBit Ransomware, Storm-0501 Ransomware, Graceful Wipe Out Attack, Trickbot, APT37 Rustonotto and FadeStealer, Meterpreter, Brute Ratel C4, Tuoni, BlackByte Ransomware 2026-05-13
Remote Process Instantiation via DCOM and PowerShell Script Block Powershell Script Block Logging 4104 T1021.003 TTP Active Directory Lateral Movement 2026-05-13
Windows RMM Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly Remote Monitoring and Management Software, Gozi Malware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters, Scattered Spider, Cactus Ransomware, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Seashell Blizzard 2026-05-13
Windows USBSTOR Registry Key Modification Sysmon EventID 13, Sysmon EventID 12 T1025 T1091 T1200 Anomaly APT37 Rustonotto and FadeStealer, Data Protection 2026-05-13
Windows PuTTY Suite Utility Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.004 Anomaly Active Directory Lateral Movement, Command And Control 2026-05-13
Remote Process Instantiation via WinRM and PowerShell Script Block Powershell Script Block Logging 4104 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows Protocol Tunneling with Plink CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.004 T1572 TTP CISA AA22-257A 2026-05-13
Windows Theme File Creation in Unusual Location Sysmon EventID 11 T1021.002 T1187 T1557.001 Anomaly Spearphishing Attachments 2026-05-13
Windows PUA Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly HAFNIUM Group, Seashell Blizzard, Active Directory Lateral Movement, DarkSide Ransomware, Volt Typhoon, Sandworm Tools, Medusa Ransomware, SamSam Ransomware, Cactus Ransomware, Rhysida Ransomware, VanHelsing Ransomware, DHS Report TA18-074A, CISA AA22-320A, DarkGate Malware, BlackByte Ransomware, IcedID 2026-05-13
Powershell Remote Services Add TrustedHost Powershell Script Block Logging 4104 T1021.006 TTP DarkGate Malware 2026-05-13
Windows MSTSC RDP Commandline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Medusa Ransomware 2026-05-13
Windows Remote Service Rdpwinst Tool Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 TTP Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters, Compromised Windows Host, Azorult 2026-05-13
Executable File Written in Administrative SMB Share Windows Event Log Security 5145 T1021.002 TTP Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, Graceful Wipe Out Attack, Trickbot, Compromised Windows Host, Hermetic Wiper, VanHelsing Ransomware, BlackSuit Ransomware, IcedID 2026-05-13
Windows Service Create with Tscon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1543.003 T1563.002 TTP Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, Compromised Windows Host 2026-05-13
Remote Process Instantiation via WinRM and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Unknown Process Using The Kerberos Protocol Sysmon EventID 1, Sysmon EventID 3 T1550 TTP BlackSuit Ransomware, Active Directory Kerberos Attacks 2026-05-13
Wsmprovhost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.006 TTP CISA AA24-241A, Hellcat Ransomware, Active Directory Lateral Movement 2026-05-13
Windows RDP File Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 T1598.002 TTP Interlock Ransomware, Windows RDP Artifacts and Defense Evasion, Spearphishing Attachments 2026-05-13
VMWare Aria Operations Exploit Attempt Palo Alto Network Threat T1068 T1133 T1190 T1210 TTP VMware Aria Operations vRealize CVE-2023-20887 2026-05-13
Cisco IOS XE Remote Access Probe Burst Cisco IOS Logs T1018 T1021.004 T1046 Anomaly Salt Typhoon 2026-05-20
ESXi Shell Access Enabled VMWare ESXi Syslog T1021 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
ESXi SSH Enabled VMWare ESXi Syslog T1021.004 TTP Hellcat Ransomware, ESXi Post Compromise, Black Basta Ransomware 2026-05-13
Okta Multiple Failed Requests to Access Applications Okta T1538 T1550.004 Hunting Okta Account Takeover 2026-05-13
Cisco IOS XE VTY Access Class Tampering Cisco IOS Logs T1021 T1562 Anomaly Salt Typhoon 2026-05-20
Microsoft Intune Device Health Scripts Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Microsoft Intune Mobile Apps Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Microsoft Intune Manual Device Management Azure Monitor Activity T1021.007 T1072 T1529 Hunting Azure Active Directory Account Takeover 2026-05-13
AWS Bedrock Invoke Model Access Denied AWS CloudTrail T1078 T1550 TTP AWS Bedrock Security 2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies Azure Monitor Activity T1021.007 T1072 T1484 T1685 T1686 Hunting Azure Active Directory Account Takeover 2026-05-13
Remote Desktop Network Traffic Zeek Conn T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, SamSam Ransomware, Ryuk Ransomware, Hidden Cobra Malware 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Static Tundra Smart Install Abuse Cisco Secure Firewall Threat Defense Intrusion Event T1190 T1210 T1499 TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Network Interface Modifications Cisco IOS Logs T1021 T1133 T1556 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Cisco Secure Firewall Threat Defense Intrusion Event T1003.001 T1059.001 T1190 T1210 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1190 T1204 T1210 TTP Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
SMB Traffic Spike T1021.002 Anomaly DHS Report TA18-074A, Hidden Cobra Malware, Ransomware, Emotet Malware DHS Report TA18-201A 2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics 2026-05-13