Lateral Movement — Spreading Across the Network

MITRE ATT&CK

Security Relevance

Initial access rarely lands an attacker where they want to be. Lateral movement is how a compromised workstation becomes a compromised domain controller. Attackers use pass-the-hash, pass-the-ticket, explicit credential logons, and remote execution tools (PsExec, WMI, PowerShell Remoting) to move between systems. Detecting lateral movement early — before a domain controller is reached — is often the difference between a contained incident and a full domain compromise.

Indicators of Malicious Use

• ⚑Event ID 4648 (explicit credential logon) from a non-admin process — attacker using stolen credentials with runas or direct API calls to access remote systems.
• ⚑Event ID 4624 Type 3 (network logon) to a domain controller from a workstation — legitimate workstations rarely need to authenticate directly to DCs outside of Kerberos ticket requests.
• ⚑Event ID 5140: C$ or ADMIN$ share accessed — administrative shares are the primary vehicle for PsExec-style lateral movement.
• ⚑Event ID 4688: psexec.exe, psexesvc.exe, or PSEXESVC as a service name in 7045 — PsExec is the most commonly used lateral movement tool.
• ⚑Event ID 4688: PowerShell with -ComputerName or Invoke-Command targeting remote hosts from a workstation.
• ⚑The same account authenticating to many different systems within a short window — a single credential being used to fan out across the network.
• ⚑Event ID 4624 Type 3 logons originating from a single source host to many destination hosts within minutes — automated lateral movement tool behavior.
• ⚑NTLM authentication (Event ID 4776) to multiple systems — pass-the-hash attacks use NTLM, not Kerberos, because they don't require the cleartext password.

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4648
Level:     Information

A logon was attempted using explicit credentials.

Subject (who is making the request):
  Account Name:  j.smith
  Logon ID:      0x3F2A1

Account Whose Credentials Were Used:
  Account Name:  Administrator
  Account Domain: CORP

Target Server:
  Target Server Name: DC01.corp.local

Process Information:
  Process Name:  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Log Name: Security
Event ID:  5140

A network share object was accessed.

Share Information:
  Share Name:  \\*\ADMIN$

Network Information:
  Source Address: 192.168.10.45
  Source Port:    49823

Subject:
  Account Name:  Administrator

Investigation Steps

1. 1.Build a map of which accounts authenticated to which systems and when — lateral movement leaves a trail of 4624 Type 3 events that fan out from the initial foothold.
2. 2.Look for admin share access (C$, ADMIN$, IPC$) in Event ID 5140 — these are the primary shares used by PsExec and most lateral movement tools. Normal users never access C$.
3. 3.Check Event ID 4648 for cases where the Subject account and the credentials-used account differ — this is an attacker using harvested credentials, not a user accessing their own resources.
4. 4.Look for PSEXESVC in Event ID 7045 (new service installed) — PsExec installs this service on the target system. Its presence is a near-certain lateral movement indicator.
5. 5.Check for PowerShell Remoting indicators: Event ID 4688 showing powershell.exe with -ComputerName or wsmprovhost.exe (the WinRM host process) appearing on the destination system.
6. 6.Identify the original foothold — lateral movement always starts somewhere. Work backwards from the first remote logon to identify patient zero.
7. 7.Check whether domain controller event logs show 4624 Type 3 logons from workstations — DCs receiving direct network logons is abnormal and indicates the attacker has reached your most critical systems.

Common False Positives

• ◎IT administrators using RMM tools (ConnectWise, Datto, NinjaRMM) — these tools regularly authenticate to managed systems. Verify the source matches known RMM agent IPs or service accounts.
• ◎Backup agents — Veeam, Acronis, and similar products access C$ and ADMIN$ shares to perform backups. These should be from known backup server IPs and occur on a predictable schedule.
• ◎SCCM / Configuration Manager — uses admin shares and NTLM authentication for software deployment and inventory. Traffic originates from the SCCM server.
• ◎Domain Controllers performing replication — DCs regularly authenticate to each other for AD replication. This generates 4624 Type 3 events between DCs, which is expected.
• ◎Legitimate administrative activity — sysadmins using PsExec or PowerShell Remoting for authorized remote administration. Verify against change management records and known admin workstations.

Remediation

• ✓Enable credential guard (Windows Defender Credential Guard) to prevent pass-the-hash by protecting NTLM hashes in a virtualization-based security container.
• ✓Disable NTLM where possible, or restrict it via GPO: Network security: Restrict NTLM — enforce Kerberos authentication on domain networks.
• ✓Disable administrative shares (C$, ADMIN$) on workstations where they are not needed — they should rarely be enabled on end-user machines.
• ✓Implement network segmentation — workstations should not be able to initiate connections to other workstations on port 445 (SMB). Use host-based firewall rules or network ACLs.
• ✓Deploy a tiered administration model — admin accounts used for servers should not be used on workstations, and workstation admin accounts should not have rights on servers.
• ✓Alert on admin share access (5140 to C$ or ADMIN$) from non-server source IPs — this is almost never legitimate from a workstation.
• ✓Isolate affected systems immediately when lateral movement is detected — the longer an attacker moves freely, the more systems require remediation.

Related Event IDs

Related Detection Guides

Frequently Asked Questions

What is the difference between Event ID 4648 and 4624 for detecting lateral movement?

Event 4624 logs a successful logon on the destination system — it tells you someone authenticated. Event 4648 logs an explicit credential logon on the source system — it tells you a process used specific credentials to connect somewhere else. For lateral movement, 4648 is often more valuable because it shows the attacker's credential use from their current foothold before the connection is established. A 4648 on a workstation with a Domain Admin account used as credentials, pointing to a domain controller, is a high-confidence lateral movement indicator even before checking the DC's 4624 log.

Does pass-the-hash generate Event ID 4625 (failed logon) events?

No — pass-the-hash uses a valid NTLM hash to authenticate, so it generates a successful Event 4624 (Type 3, NTLM) on the target system, not 4625 failures. This is why pass-the-hash is difficult to detect with failed-logon monitoring alone. The signals to look for are 4624 Type 3 logons using NTLM authentication (rather than Kerberos) to systems that should use Kerberos, and 4776 (NTLM credential validation) events on domain controllers from unexpected workstations.

How do I detect PsExec lateral movement from Windows event logs?

PsExec leaves a distinct signature across multiple event IDs: Event 7045 (new service installed) with service name PSEXESVC on the target system; Event 5140 (network share accessed) for ADMIN$ access from the source host; and Event 4624 Type 3 (network logon) on the target system. The PSEXESVC service name is the most reliable single indicator — legitimate software rarely installs a service with this name. If command-line auditing is enabled, Event 4688 will also show psexec.exe on the source system.

What network ports and protocols should I block to limit lateral movement?

Block SMB (port 445) between workstations — workstations rarely need to reach other workstations via SMB, and it is the primary PsExec and ransomware propagation path. Block WinRM (port 5985/5986) from workstations to servers unless PowerShell Remoting is explicitly needed. Restrict RDP (port 3389) to jump servers only. On workstations, use host-based firewalls to deny inbound connections from other workstations. These controls do not prevent all lateral movement but eliminate the highest-volume attack paths.