Detecting Lateral Movement in Network

When to Use

• Monitoring enterprise networks for post-compromise lateral movement patterns (pass-the-hash, RDP hopping, PSExec)
• Building SIEM detection rules and alerts for common MITRE ATT&CK lateral movement techniques (T1021, T1570)
• Investigating suspected breaches by analyzing authentication patterns and network connections between internal hosts
• Hunting for anomalous east-west traffic patterns that indicate an attacker pivoting through the network
• Validating that network segmentation and access controls effectively limit lateral movement paths

Do not use as a substitute for endpoint detection and response (EDR) tools, for monitoring only north-south traffic while ignoring internal traffic flows, or without baseline knowledge of normal internal communication patterns.

Prerequisites

• Network security monitoring deployed at internal choke points (Zeek, Suricata, or network TAPs)
• SIEM platform (Splunk, Elastic, Microsoft Sentinel) collecting Windows Security Event Logs, DNS, and flow data
• Windows Event Log forwarding configured for Security events (4624, 4625, 4648, 4672, 4768, 4769)
• Baseline of normal internal authentication and connection patterns
• Understanding of MITRE ATT&CK Lateral Movement tactics (TA0008)