Lateral Movement Detections

Name Data Source Technique Type Analytic Story Date
Splunk Code Injection via custom dashboard leading to RCE T1210 Hunting Splunk Vulnerabilities 2026-05-14
Splunk RCE PDFgen Render Splunk T1210 TTP Splunk Vulnerabilities 2026-05-14
Splunk RCE Through Arbitrary File Write to Windows System Root Splunk T1210 Hunting Splunk Vulnerabilities 2026-05-14
Splunk App for Lookup File Editing RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2026-05-14
Splunk RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2026-05-14
Windows Excel Spawning Microsoft Project Application Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.003 Anomaly PathWiper 2026-05-13
Windows AD Suspicious Attribute Modification Windows Event Log Security 5136 T1222.001 T1550 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows RDP Bitmap Cache File Creation Sysmon EventID 11 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Remote Management Execute Shell Windows Event Log Security 4688, Sysmon EventID 1 T1021.006 Anomaly Crypto Stealer 2026-05-13
Impacket Lateral Movement Commandline Parameters Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.002 T1021.003 T1047 T1543.003 TTP Storm-0501 Ransomware, Data Destruction, Prestige Ransomware, CISA AA22-277A, Active Directory Lateral Movement, Gozi Malware, Industroyer2, WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Volt Typhoon 2026-05-13
Windows Azure PowerShell Module Installation Via PowerShell Script Powershell Script Block Logging 4104 T1021.007 T1069.003 T1078 T1098 T1136.003 Anomaly Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover 2026-05-13
Remote Process Instantiation via WinRM and Winrs Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows Default RDP File Creation By Non MSTSC Process Sysmon EventID 11, Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Enable RDP In Other Port Number Sysmon EventID 13 T1021 TTP Windows RDP Artifacts and Defense Evasion, Interlock Ransomware, Windows Registry Abuse, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
Windows SpeechRuntime COM Hijacking DLL Load Sysmon EventID 7 T1021.003 TTP Compromised Windows Host, Scattered Lapsus$ Hunters, Active Directory Lateral Movement 2026-05-13
Windows Process Execution From RDP Share Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.001 T1059 T1105 Anomaly Hidden Cobra Malware 2026-05-13
Linux SSH Remote Services Script Execute Sysmon for Linux EventID 1 T1021.004 TTP VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Hellcat Ransomware 2026-05-13
Windows Replication Through Removable Media Sysmon EventID 11 T1091 TTP China-Nexus Threat Activity, NjRAT, Salt Typhoon, APT37 Rustonotto and FadeStealer, PlugX, Derusbi, Chaos Ransomware 2026-05-13
Rubeus Kerberos Ticket Exports Through Winlogon Access Sysmon EventID 10 T1550.003 TTP Scattered Lapsus$ Hunters, Active Directory Kerberos Attacks, ZOVWiper, BlackSuit Ransomware, CISA AA23-347A 2026-05-13
Windows Default Rdp File Unhidden Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows RDP Server Registry Entry Created Sysmon EventID 13 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows RDP Client Launched with Admin Session Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Impacket Lateral Movement smbexec CommandLine Parameters Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.002 T1021.003 T1047 T1543.003 TTP Data Destruction, Prestige Ransomware, CISA AA22-277A, Active Directory Lateral Movement, Industroyer2, WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Volt Typhoon 2026-05-13
Rubeus Command Line Parameters Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1550.003 T1558.003 T1558.004 TTP Scattered Lapsus$ Hunters, Active Directory Kerberos Attacks, ZOVWiper, BlackSuit Ransomware, Active Directory Privilege Escalation, CISA AA23-347A 2026-05-13
Impacket Lateral Movement WMIExec Commandline Parameters Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.002 T1021.003 T1047 T1543.003 TTP Storm-0501 Ransomware, Data Destruction, Prestige Ransomware, CISA AA22-277A, Active Directory Lateral Movement, Gozi Malware, Industroyer2, WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Volt Typhoon 2026-05-13
Windows Remote Services Allow Rdp In Firewall Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.001 Anomaly Azorult, Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Steal Authentication Certificates - ESC1 Authentication Windows Event Log Security 4887, Windows Event Log Security 4768 T1550 T1649 TTP Compromised Windows Host, Windows Certificate Services 2026-05-13
Remote Process Instantiation via DCOM and PowerShell Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.003 TTP Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Windows Process Executed From Removable Media Sysmon EventID 13, Sysmon EventID 1 T1025 T1091 T1200 Anomaly APT37 Rustonotto and FadeStealer, Data Protection 2026-05-13
Windows Suspicious Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 TTP Cobalt Strike, Trickbot, Hellcat Ransomware, Meterpreter, LockBit Ransomware, DarkSide Ransomware, Tuoni, Gozi Malware, BlackByte Ransomware, APT37 Rustonotto and FadeStealer, Remote Monitoring and Management Software, Graceful Wipe Out Attack, Brute Ratel C4 2026-05-13
Mmc LOLBAS Execution Process Spawn Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.003 T1218.014 TTP XML Runner Loader, Water Gamayun, Living Off The Land, Active Directory Lateral Movement 2026-05-13
Detect Computer Changed with Anonymous Account Windows Event Log Security 4742 T1210 Hunting Detect Zerologon Attack 2026-05-13
Windows RDP Login Session Was Established Windows Event Log Security 4624 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters 2026-05-13
Allow Inbound Traffic By Firewall Rule Registry Sysmon EventID 13 T1021.001 TTP NjRAT, Azorult, Windows Registry Abuse, Medusa Ransomware, PlugX, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
Windows Special Privileged Logon On Multiple Hosts Windows Event Log Security 4672 T1021.002 T1087 T1135 TTP Compromised Windows Host, Active Directory Privilege Escalation, Active Directory Lateral Movement 2026-05-13
Windows SpeechRuntime Suspicious Child Process Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.003 TTP Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Mimikatz PassTheTicket CommandLine Parameters Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1550.003 TTP Scattered Lapsus$ Hunters, Active Directory Kerberos Attacks, CISA AA22-320A, Sandworm Tools, CISA AA23-347A 2026-05-13
Windows WPDBusEnum Registry Key Modification Sysmon EventID 13, Sysmon EventID 12 T1025 T1091 T1200 Anomaly APT37 Rustonotto and FadeStealer, Data Protection 2026-05-13
Detect PsExec With accepteula Flag Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.002 TTP SamSam Ransomware, HAFNIUM Group, VanHelsing Ransomware, Storm-0501 Ransomware, DHS Report TA18-074A, Rhysida Ransomware, DarkSide Ransomware, Medusa Ransomware, Active Directory Lateral Movement, IcedID, CISA AA22-320A, Sandworm Tools, BlackByte Ransomware, Cactus Ransomware, Seashell Blizzard, DarkGate Malware, Volt Typhoon 2026-05-13
Windows Remote Services Allow Remote Assistance Sysmon EventID 13 T1021.001 Anomaly Azorult 2026-05-13
Windows Remote Host Computer Management Access Windows Event Log Security 4688, Sysmon EventID 1 T1021.006 Anomaly Medusa Ransomware 2026-05-13
Windows Remote Services Rdp Enable Sysmon EventID 13 T1021.001 TTP Azorult, Windows RDP Artifacts and Defense Evasion, BlackSuit Ransomware, Medusa Ransomware 2026-05-13
Possible Lateral Movement PowerShell Spawn Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003 Anomaly Microsoft WSUS CVE-2025-59287, Malicious PowerShell, Scheduled Tasks, CISA AA24-241A, Active Directory Lateral Movement, Hermetic Wiper, Data Destruction 2026-05-13
Active Directory Lateral Movement Identified T1210 Correlation Active Directory Lateral Movement 2026-05-13
Windows Process With NetExec Command Line Parameters Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1550.003 T1558.003 T1558.004 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2026-05-13
Detection of tools built by NirSoft Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1072 Anomaly Emotet Malware DHS Report TA18-201A 2026-05-13
Interactive Session on Remote Endpoint with PowerShell Powershell Script Block Logging 4104 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows RDP Connection Successful Windows Event Log RemoteConnectionManager 1149 T1563.002 Hunting NetSupport RMM Tool Abuse, Active Directory Lateral Movement, BlackByte Ransomware, Windows RDP Artifacts and Defense Evasion, Interlock Ransomware 2026-05-13
Allow Inbound Traffic In Firewall Rule Powershell Script Block Logging 4104 T1021.001 TTP NetSupport RMM Tool Abuse, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
Kerberos TGT Request Using RC4 Encryption Windows Event Log Security 4768 T1550 TTP Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters 2026-05-13
Remote Desktop Process Running On System Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.001 Hunting Windows RDP Artifacts and Defense Evasion, Hidden Cobra Malware, Active Directory Lateral Movement 2026-05-13
Windows Suspicious C2 Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 TTP Storm-0501 Ransomware, Cobalt Strike, Trickbot, Hellcat Ransomware, Meterpreter, LockBit Ransomware, DarkSide Ransomware, Tuoni, Gozi Malware, BlackByte Ransomware, APT37 Rustonotto and FadeStealer, Remote Monitoring and Management Software, Graceful Wipe Out Attack, Brute Ratel C4 2026-05-13
Remote Process Instantiation via DCOM and PowerShell Script Block Powershell Script Block Logging 4104 T1021.003 TTP Active Directory Lateral Movement 2026-05-13
Windows RMM Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 Anomaly Command And Control, Seashell Blizzard, Scattered Lapsus$ Hunters, GhostRedirector IIS Module and Rungan Backdoor, CISA AA24-241A, Gozi Malware, Insider Threat, Scattered Spider, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware 2026-05-13
Windows USBSTOR Registry Key Modification Sysmon EventID 13, Sysmon EventID 12 T1025 T1091 T1200 Anomaly APT37 Rustonotto and FadeStealer, Data Protection 2026-05-13
Windows PuTTY Suite Utility Execution Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.004 Anomaly Command And Control, Active Directory Lateral Movement 2026-05-13
Remote Process Instantiation via WinRM and PowerShell Script Block Powershell Script Block Logging 4104 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows Protocol Tunneling with Plink Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.004 T1572 TTP CISA AA22-257A 2026-05-13
Windows Theme File Creation in Unusual Location Sysmon EventID 11 T1021.002 T1187 T1557.001 Anomaly Spearphishing Attachments 2026-05-13
Windows PUA Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 Anomaly SamSam Ransomware, HAFNIUM Group, VanHelsing Ransomware, DHS Report TA18-074A, Rhysida Ransomware, DarkSide Ransomware, Medusa Ransomware, Active Directory Lateral Movement, IcedID, CISA AA22-320A, BlackByte Ransomware, Sandworm Tools, Cactus Ransomware, Seashell Blizzard, DarkGate Malware, Volt Typhoon 2026-05-13
Powershell Remote Services Add TrustedHost Powershell Script Block Logging 4104 T1021.006 TTP DarkGate Malware 2026-05-13
Windows MSTSC RDP Commandline Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Medusa Ransomware 2026-05-13
Windows Remote Service Rdpwinst Tool Execution Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.001 TTP Azorult, Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Executable File Written in Administrative SMB Share Windows Event Log Security 5145 T1021.002 TTP VanHelsing Ransomware, Trickbot, Prestige Ransomware, Active Directory Lateral Movement, IcedID, BlackSuit Ransomware, Hermetic Wiper, Industroyer2, Compromised Windows Host, Graceful Wipe Out Attack, Data Destruction 2026-05-13
Windows Service Create with Tscon Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1543.003 T1563.002 TTP Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Remote Process Instantiation via WinRM and PowerShell Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Unknown Process Using The Kerberos Protocol Sysmon EventID 3, Sysmon EventID 1 T1550 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2026-05-13
Wsmprovhost LOLBAS Execution Process Spawn Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.006 TTP CISA AA24-241A, Active Directory Lateral Movement, Hellcat Ransomware 2026-05-13
Windows RDP File Execution Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.001 T1598.002 TTP Windows RDP Artifacts and Defense Evasion, Interlock Ransomware, Spearphishing Attachments 2026-05-13
VMWare Aria Operations Exploit Attempt Palo Alto Network Threat T1068 T1133 T1190 T1210 TTP VMware Aria Operations vRealize CVE-2023-20887 2026-05-13
Cisco IOS XE Remote Access Probe Burst Cisco IOS Logs T1018 T1021.004 T1046 Anomaly Salt Typhoon 2026-05-20
ESXi Shell Access Enabled VMWare ESXi Syslog T1021 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
ESXi SSH Enabled VMWare ESXi Syslog T1021.004 TTP ESXi Post Compromise, Hellcat Ransomware, Black Basta Ransomware 2026-05-13
Okta Multiple Failed Requests to Access Applications Okta T1538 T1550.004 Hunting Okta Account Takeover 2026-05-13
Cisco IOS XE VTY Access Class Tampering Cisco IOS Logs T1021 T1562 Anomaly Salt Typhoon 2026-05-20
Microsoft Intune Device Health Scripts Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Microsoft Intune Mobile Apps Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Microsoft Intune Manual Device Management Azure Monitor Activity T1021.007 T1072 T1529 Hunting Azure Active Directory Account Takeover 2026-05-13
AWS Bedrock Invoke Model Access Denied AWS CloudTrail T1078 T1550 TTP AWS Bedrock Security 2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies Azure Monitor Activity T1021.007 T1072 T1484 T1685 T1686 Hunting Azure Active Directory Account Takeover 2026-05-13
Remote Desktop Network Traffic Zeek Conn T1021.001 Anomaly SamSam Ransomware, Hidden Cobra Malware, Active Directory Lateral Movement, Ryuk Ransomware, Windows RDP Artifacts and Defense Evasion 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Static Tundra Smart Install Abuse Cisco Secure Firewall Threat Defense Intrusion Event T1190 T1210 T1499 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Cisco Network Interface Modifications Cisco IOS Logs T1021 T1133 T1556 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Cisco Secure Firewall Threat Defense Intrusion Event T1003.001 T1059.001 T1190 T1210 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1190 T1204 T1210 TTP Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
SMB Traffic Spike T1021.002 Anomaly Ransomware, Hidden Cobra Malware, Emotet Malware DHS Report TA18-201A, DHS Report TA18-074A 2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13