Detecting Lateral Movement with Sysmon

MITRE ATT&CK

Security Relevance

Lateral movement is the phase between initial access and the attacker's final objective (data exfiltration, ransomware, persistence). Detecting it early — before the attacker reaches domain controllers, backup servers, or sensitive data stores — is the most impactful detection investment. Sysmon's process-to-network correlation is the primary reason it was developed: native Windows events show logons and process creation independently, but cannot link which network connection produced which remote process.

Indicators of Malicious Use

• ⚑Sysmon 3: cmd.exe, powershell.exe, or wmic.exe connecting to internal hosts on port 445 (SMB) or 135/5985 (WMI/WinRM)
• ⚑Sysmon 1 (target host): process spawned from services.exe with an Image path in C\$\Windows\Temp or ADMIN$ (PsExec service binary pattern)
• ⚑Sysmon 1 (target host): WmiPrvSE.exe spawning cmd.exe or powershell.exe with attacker-controlled arguments (WMI remote execution)
• ⚑Sysmon 3: single source host connecting to many internal targets on port 445 in rapid succession (lateral movement scanning or mass deployment)
• ⚑Sysmon 1: net.exe, net1.exe, or nltest.exe commands for domain enumeration — attacker mapping targets before moving
• ⚑Sysmon 10: GrantedAccess 0x1010 against lsass.exe on the source host, followed by Sysmon 3 outbound to a new internal target within minutes

Example Log Entry

// Sysmon Event 3 (source host) — SMB lateral movement initiation
EventID: 3
Image: C:\Windows\System32\cmd.exe
DestinationIp: 10.0.1.45
DestinationPort: 445
DestinationHostname: fileserver01.corp.local
Initiated: true

// Sysmon Event 1 (target host — fileserver01) — PsExec service binary
EventID: 1
Image: C:\Windows\PSEXESVC.exe
CommandLine: C:\Windows\PSEXESVC.exe
ParentImage: C:\Windows\System32\services.exe
IntegrityLevel: System

// Sysmon Event 1 (target host) — WMI remote execution
EventID: 1
Image: C:\Windows\System32\cmd.exe
CommandLine: cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__output 2>&1
ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe

Investigation Steps

1. 1.Establish the source host: identify which host initiated the lateral movement by searching Sysmon 3 for outbound port 445 connections from unexpected processes (cmd.exe, wmic.exe, PowerShell). The source host is where the attacker currently has a foothold.
2. 2.Identify the target hosts: expand from the source host's Sysmon 3 events to find all internal IPs contacted. Each is a potential lateral movement target. Prioritize domain controllers, file servers, and backup servers.
3. 3.Confirm remote execution on target hosts: search Sysmon 1 on target hosts for processes spawned from services.exe (PsExec), WmiPrvSE.exe (WMI), or svchost.exe (scheduled task remote creation) around the time of the Sysmon 3 connection from the source.
4. 4.Trace the credential used: search 4624 events on target hosts for Type 3 (network) logons from the source host IP around the same timestamp. The account name in 4624 is the credential the attacker used — if it's a domain admin or service account, assess the blast radius.
5. 5.Check for credential dumping on the source host: search Sysmon 10 for LSASS access immediately before the lateral movement. Attackers dump credentials first, then move. This tells you which credentials are in the attacker's hands.
6. 6.Map the full movement chain: each newly compromised host may initiate its own lateral movement. Recursively search Sysmon 3 outbound from each confirmed compromised host to build the complete movement tree.

Common False Positives

• ◎Legitimate remote management tools (RMM agents, SCCM, Ansible, Puppet) connect to many internal hosts and spawn remote processes — build a baseline of normal remote execution sources
• ◎IT automation scripts performing mass deployment or patching generate PsExec-like patterns during maintenance windows
• ◎WMI-based monitoring tools (SCCM inventory, custom scripts) spawn WmiPrvSE.exe child processes for legitimate queries
• ◎Domain-wide Group Policy application and logon scripts create processes via svchost.exe that may superficially resemble lateral movement

Remediation

• ✓Block lateral movement at the network layer: enforce host-based firewall rules preventing workstation-to-workstation SMB (port 445); workstations should not connect to each other on admin ports
• ✓Disable NTLM where Kerberos is sufficient to eliminate pass-the-hash as a lateral movement credential — enforce via Group Policy (Restrict NTLM: Outgoing NTLM traffic to remote servers)
• ✓Enable Windows Defender Credential Guard to prevent credential harvesting that enables lateral movement
• ✓Implement privileged access workstations (PAWs) and tiered administration — domain admin credentials should never touch workstations or be exposed to processes that could be compromised
• ✓Require multi-factor authentication for remote access (RDP, WinRM, VPN) to prevent pass-the-hash and stolen credential reuse
• ✓Reset all credentials that were exposed on compromised hosts — NTLM hashes remain usable for pass-the-hash until the password changes

Related Event IDs

Related Detection Guides

Frequently Asked Questions

Why is Sysmon better than native Windows events for detecting lateral movement?

Native Windows events show logons (4624) and process creation (4688) independently, but cannot directly link them: you know a network logon occurred and you know a process was created, but connecting 'this network connection caused this remote process' requires correlating multiple events across multiple hosts by timestamp and account — error-prone and slow. Sysmon provides two capabilities native events lack: (1) Sysmon 3 records the exact process that initiated the network connection, making it possible to immediately answer 'cmd.exe connected to fileserver01 on port 445'; (2) Sysmon 1 on the target host shows the parent process (services.exe, WmiPrvSE.exe) that spawned the remote execution, directly exposing the lateral movement mechanism.

What is the difference between PsExec lateral movement and WMI lateral movement in Sysmon?

Both produce Sysmon 1 events on the target host but with different parent processes. PsExec copies a service binary (PSEXESVC.exe by default, but can be renamed) to the target's ADMIN$ share and creates a service to run it — the spawned process's ParentImage is services.exe. WMI lateral movement calls Win32_Process.Create() over DCOM, which causes WmiPrvSE.exe to spawn the command on the target — the ParentImage is WmiPrvSE.exe. Alert on both: services.exe spawning unexpected binaries from Temp or ADMIN$ paths, and WmiPrvSE.exe spawning cmd.exe or powershell.exe with attacker-style arguments.

How do I correlate lateral movement across multiple hosts in Sysmon logs?

The correlation key is the source IP and timestamp. On the source host: find Sysmon 3 with an outbound connection to an internal target on port 445 or 135. On the target host: find Sysmon 1 events within a 60-second window where the timestamp matches and the parent is services.exe or WmiPrvSE.exe. Also check 4624 events on the target for a Type 3 logon from the source IP at the same time — the account name reveals which credential was used. In a SIEM: join Sysmon 3 from host A with Sysmon 1 on host B where DestinationIp = host B and the timestamps are within the expected propagation delay (typically < 30 seconds for PsExec).