SOC Playbook: Lateral Movement Detection and Response Guide
In modern networks, attackers never stop at acquiring initial access. Once a foothold is gained, the action begins: lateral movement, the phase where adversaries pivot across systems, escalate privileges, and open the gates to enterprise assets.
The danger lies in its resemblance to normal administrative behavior. Attackers use built-in tools, legitimate credentials, and authentic network paths to evade detection. For SOC analysts, detecting lateral movement quickly is the difference between dealing with an attack and watching an attack until it reaches a critical stage.
Here, you'll learn to identify reconnaissance activities, detect active lateral movement across three attack stages, and implement response protocols that contain threats before domain compromise. Whether you're building detection from scratch or enhancing existing capabilities, this guide maps specific Event IDs, detection queries, and response actions to the MITRE ATT&CK framework.
Building Your Detection Infrastructure
Attack discovery depends on visibility. Without log collection and correlations, even the best playbook fails.
Essential Tools and Technologies:
- SIEM platforms: Splunk, Google Chronicle, Microsoft Sentinel.
- EDR solutions: CrowdStrike, Microsoft Defender, SentinelOne.
- Sysmon: Deep process and network telemetry via configurable event IDs.
- Windows Event Forwarding (WEF): Centralize logs efficiently for detection coverage.
Detection Rule Best Practices:
- Baseline normal behavior: Document administrative activities, account service patterns, and task behaviors.
Detection logic should rely on these to reduce false positives.
- Optimize Window time: Lateral movement happens rapidly. Use short window correlations (5-10 minutes) for more accurate alerts.
- Account whitelisting: Exclude monitoring systems, scheduled tasks, and service accounts.
Audit them frequently to ensure their legitimacy.
- Continuously tune queries based on operational feedback.
SOAR Integrations and Automation:
Automation reduces the needed time to detect and respond, keeping analysts focused on complex investigations.
- Automated isolation workflows: When credible lateral movement indicators are detected, automatically isolate affected endpoints via EDR integrations.
- Threat intelligence enrichment: enrich alerts with threat intelligence automatically on IPs, domains, and file hashes to provide context for decision-making.
- Response playbook triggers: Use SOAR platforms to automate the multi-step response procedures, as account disablement, evidence collection, and notification workflows.
The Three-Stage Attack Progression Framework
Detection requires understanding how adversaries move through your network. Here, we organized lateral movement detection in three stages, each with specific indicators and response requirements:
Stage 1: Reconnaissance & Discovery:
Attackers trace the network, identify critical targets, and map Active Directory structure. Detection at this stage will stop any further progression.
Stage 2: Lateral Movement Execution:
Attackers freely move between systems using conventional protocols and tools. Speed is critical; the faster you detect and respond, the more you limit the impacted scope.
Stage 3: Privilege Escalation & Domain Compromise:
Attackers target control-level access, often using advanced techniques like DCSync or Kerberos attacks. Detection at this stage requires an immediate major incident declaration.
Each stage comes with specific Event IDs, detection logic, and response actions designed to help in identifying and containing threats early.
Stage 1: Reconnaissance & Discovery Detection
During the scouting phase, attackers explore the network and collect data about the domain structure, users, and trust connections. Their behavior often resembles legitimate administrative enumeration, but at a suspicious speed and scale.
Key Event IDs to Monitor:
Event ID 4688 - Process Creation
Observe processes like net.exe, nltest, dsquery, or adfind.exe. These commands indicate enumeration of groups, users, or trust paths.
Event ID 5156 - Network Connections
Activated when a network connection is allowed by the Windows Filtering Platform. Useful for detecting internal SMB or LDAP scans.
Sysmon Event ID 3 - Network Activity
Captures connections started by a process, detect proprietary recon tools (SharpHound, AdFind, etc.) communicating with multiple hosts.
Behavioral Indicators of Breach
- System probing commands executed within 60 seconds window.
- Repeated queries like
net group "Domain Admins"ornltest /domain_trusts. - SMB scans to several internal IPs on port 445.
- Execution of known discovery tools like SharpHound, AdFind, or BloodHound.
Immediate Response Actions
- Quarantine the endpoint using EDR mitigation.
- Extract process memory for credential theft analysis (search for LSASS access).
- Review 48-hour process tree and network logs for related internal pivot attempts.
- Escalate to Tier 2 if persistence or suspicious tools are detected.
Stage 2: Lateral Movement Execution
Once exploration provides insight, attackers begin pivoting laterally, utilizing stolen credentials and remote services to execute commands on new hosts.
Critical Event IDs for Lateral Movement:
Event ID 4624 Type 3 - Network Logon
Signals logon via network connection (SMB, PsExec, WinRM). Multiple Type 3 logons from the same account to multiple hosts in a short period is suspicious.
Event ID 4648 - Explicit Credentials Used
Demonstrates use of specific usernames and passwords for sign-in attempts, commonly seen in credential replay or pass-the-hash attacks.
Event ID 4672 - Special Privileges Assigned
Logs when privileged user accounts (e.g., domain admins) log in, helpful for tracking suspicious admin activity.
Event ID 7045 - Service Installation
Activated when PsExec or WMI creates remote services for execution.
Event IDs 5140 / 5145 - Admin Share Access
Catch attempts to access network shares such as \\ADMIN$ or \\C$, typical of lateral movement using SMB.
MITRE ATT&CK Techniques
| Technique | Description |
|---|---|
| T1021.001 | RDP (port 3389) used for remote access. |
| T1021.002 | SMB / PsExec lateral movement via admin shares. |
| T1021.006 | WinRM execution through PowerShell remoting. |
| T1047 | WMI execution across systems. |
| T1569.002 | Service creation for remote execution. |
Critical Response Protocol
- Escalate to IR team instantly.
- Deactivate compromised accounts and reset users' credentials.
- Isolate both source and destination hosts.
- Inspect for credential dumping (Event 4656 on LSASS).
- Block lateral network traffic using EDR or firewall policies.
Speed is vital: every minute of undetected lateral movement increases potential damage exponentially.
Stage 3: Privilege Escalation & Domain Compromise
In this final stage, attackers escalate privileges to gain domain control, often targeting AD for persistence and dominance.
Domain-Level Attack Event IDs
| Event ID | Description |
|---|---|
| 4662 | DCSync attack (replication rights abuse). |
| 4768 | Kerberos Ticket-Granting Ticket (Golden Ticket). |
| 4769 | Kerberos Service Ticket (Silver Ticket). |
| 4776 | NTLM authentication (Pass-the-Hash). |
| 4720 | New user account creation. |
Advanced Threat Patterns
- DCSync Attacks: attackers use tools like Mimikatz to request directory replication data.
- Golden Ticket: forged Kerberos TGT granting full domain privileges.
- Silver Ticket: forged service ticket targeting specific SPNs.
- Skeleton Key: backdoor injected into domain controller authentication logic.
Major Incident Response Procedures
- Declare a major incident and start incident-command mode.
- Reset KRBTGT password twice (24 hours apart) to invalidate forged Kerberos tickets.
- Reset admin credentials immediately.
- Collect forensic images of affected domain controllers.
- Hunt for persistence mechanisms (services, scheduled tasks, registry).
- Inform legal and CISO teams due to potential breach disclosure requirements.
Analyze Detection Effectiveness
You can't develop what you can not measure. SOC teams should define clear KPIs for detection capabilities.
Key Performance Indicators:
| KPI | Description |
|---|---|
| Mean Time to Detect "MTTD" | Time for lateral activity starts the first alert. |
| Mean Time to Respond "MTTR" | Time from discovery to containment. |
| False Positive Rate | Measure alert accuracy. |
| MITRE ATT&CK Coverage | Percentage of techniques covered by the rules. |
Continuous Improvement:
Detection process never ends.
- Weekly rule review: Identify false positives for tuning and true positives for lessons learned.
- Quarterly threat hunting: Search for lateral movement indicators in historical data.
- Red Team Validation: Have your red team or external penetration tester attempt lateral movement.
- Detection Gap Analysis: Match your detection contained to MITRE ATT&CK lateral movement techniques.
Quick Guide for Lateral Movement Detection
Phase 1 - Foundation
Start with infrastructure:
- Roll Sysmon out to all endpoints using configuration from SwiftOnSecurity or similar resources.
- Set up Windows Event Forwarding from all domain controllers and server members.
- Configure SIEM log intake, and validate you're capturing Security, System, and Sysmon logs.
- Ensure thorough log collection across your environment.
Phase 2 - Detection Rules
Build detection capabilities:
- Stage 1: detection queries for scouting activities focus on Event IDs 4688, 5156, and Sysmon Event ID.
- Stage 2: detection queries for lateral movement implementation, highlighting Event ID 4624 Type 3 correlation.
- Stage 3: Detection queries for privilege escalation, particularly Event ID 4662 for DCSync detection.
- Adjust detection rules to match your environment's normal behavior.
Phase 3 - Response and Testing
Operationalise your capabilities:
- Develop response playbooks for each attack stage.
- Train the IR team on Lateral Movement indicators and response techniques.
- Run exercises simulating lateral movement scenarios.
- Verify automated response workflows function.
Common Pitfalls to Avoid
Insufficient Event Log Collection:
Lack of Sysmon or Windows event forwarding breaks visibility. Ensure centralized collections and proper retention.
Neglecting Account Service Behavior:
Service accounts are the top lateral movement targets. Track their logons and flag deviations for baseline.
Delayed Escalation Procedures:
Slow response keeps dwell time high. Automate escalation triggers to IR when critical rules fire.
Lack of Network Segmentation:
Flat network enables unrestricted lateral travel. Segment sensitive zones and restrict RDP/SMB between segments.
Conclusion and Key Takeaways
Before closing this guide, make sure you have implemented these controls:
- Turn on Sysmon Event ID 3 to track network connections.
- Set up forwarding for Key security Event IDs (4624, 4648, 4662, 4768).
- Create an admin-only account baseline separate from service identities.
- Draft escalation procedures with 24/7 contact information.
- KRBTGT password should be reset immediately after a confirmed domain attack.
- Deploy EDR across the entire endpoint fleet with host isolation enabled.
- Test the containment workflow and check if it executes in under 15 minutes.
Lateral Movement Detection is the center of every major breach. Detecting it requires data visibility, monitoring, and well-tested response playbooks. By aligning detection with MITRE ATT&CK and continuously improve your KPIs, your SOC can detect and stop lateral movement before attackers achieve their objectives.