Lateral Movement

A cyber alert triage playbook with insights from former cyber analysts who have lived this pain

Download Playbook PDF

What is the threat scenario?

Lateral Movement alerts detect suspicious movement between internal systems to uncover adversaries already in your network. These detections cover remote system access (inc. RDP), remote data access (inc. via network shares), and access token manipulation (inc. pass-the-hash attacks).

MITRE ATT&CK Reference

What context should you gather?

Systems Involved

Identify the source and target system involved in the network connection

Account(s) Used

Identify the account used to initiate the connection. Sometimes, there is one account that initiates an action as a second account. This is common in SSH connections.

Type of Connection

Lateral movement threats by definition involve some sort of connection set up between two systems. Identity the connection protocol used. Common examples include:

  • remote access, such as SSH and RDP
  • file transfer, such as SCP, FTP and SMB
  • API, where the remote target is an application
Program used to initiate connection

In many cases of lateral movement, you'll have the ability to identify or infer the tool used to make a connection. Often, the tool will be a common program or utility either preinstalled or installed by a user. Common examples include:

  • Web browsers, such as chrome.exe, msedge.exe, and firefox.exe
  • Remote access tools such as putty.exe and TeamViewer.exe
  • Command shells such as cmd.exe wt.exe
  • Scripting Languages, such as python.exe, and powershell.exe

What questions should you ask?

1. How are the accounts involved typically used?

Understanding what the accounts involved in this activity typically do can provide strong indications that this activity is more likely than not to be expected.

  • For user accounts: Would that user likely have a need to perform the action?
  • For service accounts: Is the action an account is performing related to its assigned service? An account associated with a running application likely shouldn't be relying on a remote access utility to connect to a remote system.
  • For system accounts: Most operating systems have a default system account. These accounts typically run necessary OS processes.

2. Was the connection initiated interactively or not?

Interactive actions are ones taken by a person who is often typing commands or using GUI applications. Reviewing command histories or process trees can often indicate if a person is interacting with the system or if some programmatic process is initiating activity. One giveaway is if a command is being executed too efficiently as it often indicates it wasn't a person typing the commands. People make mistakes and are generally not optimally efficient with their tasks. Often, you'll be more suspicious of programmatic actions, especially if they are actions you don't see happening frequently in your environment.

Additionally, consider if the account was used in an expected way. A user account performing actions programmatically could be suspicious.

False Positive Scenarios

Helpdesk admin connecting from their workstation to another user's workstation via RDP
The direction is important here. The Helpdesk admin connecting from a workstation that isn’t their own is suspicious.

Management servers connecting to systems to update software or backup data
Legitimate IT system management tools often get flagged for suspicious activity such as remote file copying. These services often are connecting to many systems and typically use a dedicated service account.

Admin has created a network share to access files from multiple users in the network
IT and application admins often need to move data around a network and may setup a network share to do so.

Developer remotely accessing a development server via RDP or SSH
Developers routinely log into development and pre-production systems to perform their job duties. This connection might come from their workstation or, sometimes, from a dedicated jump server where a developer will first connect to the jump server then connect from the jump server to the final target server.

Actions you could take

If there isn't an obvious reason why this activity is expected, it might be time to either escalate to a more senior analyst or start executing your incident response plan.

Common initial response actions can include:

  • Contacting a system owner or user's manager to identify if this activity seems expected.
  • Isolating workstations involved from the network.

Last Update

January 31, 2024

See Salem in action

Schedule a demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.  View our Privacy Policy for more information.

DenyAccept All