Salem Spellbook
A series of alert triage runbooks for information security analysts

Lateral Movement

Lateral Movement alerts detect suspicious movement between internal systems, to uncover adversaries already in your network. These detections cover, remote system access including RDP, remote data access including via network shares, and access token manipulation including pass-the-hash attacks.

Get Runbook PDF

Common Alerts

Alerts that typically can be triaged with this runbook:
  • RDP from same source to multiple destinations
  • L2L SMB(Service Message block) traffic observed
  • Telnet & SSH trffic observed from same source to multiple destinations
  • L2L Vertical/Horizontal  port scan detected
  • Detected Activity related to pash the hash Attack
  • Abnormal inbound connection towards the restricted zone from internal host

Typical false positive scenarios

Most alerts you'll see as a cyber analyst are false positives, here are top false positive scenarios to consider when you're deciding an alert should be escalated to incident response.

Helpdesk admin connecting form their workstation to another users workstation via RDP
The direction is important here, the Helpdesk admin connecting from a workstation that isn’t theirs is suspicious

Management sever connecting to systems to update software or backup data
Legitimate IT system management tools often get flagged for suspicious activity such as remote file copying.

Admin has created a network share to access files from multiple users in the network
IT and application admins often need to move data around a network and may setup a network share to do so.

Have questions or changes to propose?

Join the conversation on Twitter @salemcyber

Have too many False Positives?

Learn how Salem, the AI cyber analyst can Reduce false postives for this and many more Cyber Threat Use cases

Learn More
Friends of Salem Newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.