Playbooks
T1021, T1570, T1047Lateral Movement Response
A step-by-step playbook for detecting and responding to lateral movement via RDP, WMI, PsExec, SMB, and SSH — including detection Event IDs, containment strategies, and forensic collection.
View on Graph
What This Playbook Covers
- This playbook handles confirmed lateral movement — when you have evidence that an attacker has moved from one host to another using remote administration tools. It does not cover the initial compromise or the final impact phase.
- Lateral movement is the most critical phase to interrupt. Before lateral movement, the breach is limited to a single host. After lateral movement, the attacker controls credentials, can reach sensitive servers, and may establish persistence.
- MITRE ATT&CK references:
T1021(Remote Services — RDP, SMB, SSH),T1570(Lateral Tool Transfer),T1047(Windows Management Instrumentation),T1059(Command and Scripting Interpreter). - Parallel playbooks: Privilege Escalation Investigation (often precedes lateral movement), Suspicious Authentication (credential abuse), Initial Access Response (find how the attacker got in).
Phase 1: Identify the Lateral Movement Method (0-15 minutes)
Each lateral movement technique produces a distinct detection signature. Identify the method first to determine the best containment strategy.
RDP Lateral Movement (T1021.001)
| Detection Signal | Log Source | Event ID / Indicator |
|---|---|---|
| RDP connection inbound | Windows Security Log | Event ID 4624 — LogonType = 10 (RemoteInteractive) |
| RDP connection from unusual host | Windows Security Log | Event ID 4624 — LogonType = 10 + source IP not on RDP allowlist |
| RDP session disconnect/reconnect | TerminalServices-LocalSessionManager | Event ID 21 (shell start), 24 (disconnect), 25 (reconnect) |
| Multiple RDP connections from same source | Correlation across hosts (use Splunk for correlation) | Same source IP connecting to multiple hosts via RDP |
SPL query — RDP lateral movement detection:
index=windows sourcetype="WinEventLog:Security" EventCode=4624 LogonType=10
| stats count by SourceIp, Computer, Account_Name, bin(_time, 1h)
| where count > 2
| eval alert = "RDP lateral movement — " . Account_Name . " from " . SourceIp . " to " . Computer . " (" . count . " connections in 1h)"
| table _time, SourceIp, Computer, Account_Name, count, alert
| sort - countWMI Lateral Movement (T1047)
| Detection Signal | Log Source | Event ID / Indicator |
|---|---|---|
| WMI process creation | Windows Security Log — Event ID 4688 | Parent process is WmiPrvSE.exe — child process is unexpected (cmd, powershell, wscript) |
| WMI connection | Microsoft-Windows-WMI-Activity/Operational | Event ID 5857 — WMI activity from non-standard namespace |
| WMI network connection | Sysmon Event ID 3 | wmiprvse.exe making outbound network connections |
| Remote WMI query | Windows Defender / EDR | API calls: IWbemServices::ExecQuery from remote host |
SPL query — WMI lateral movement detection:
index=windows sourcetype="WinEventLog:Security" EventCode=4688
| search ParentProcessName="*WmiPrvSE.exe"
| where NewProcessName NOT IN ("C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "C:\\Windows\\System32\\svchost.exe")
| eval alert = "WMI process creation — " . NewProcessName . " spawned by WmiPrvSE.exe on " . Computer
| table _time, Computer, NewProcessName, CommandLine, alertPsExec Lateral Movement (T1570, T1021.002)
| Detection Signal | Log Source | Event ID / Indicator |
|---|---|---|
| PsExec service creation | System Event Log | Event ID 7045 — PSEXESVC.exe service installed |
| PsExec named pipe | Sysmon Event ID 17/18 | Named pipe creation: \\.\pipe\psexec-* or \\.\pipe\psexecsvc |
| SMB ADMIN$ file copy | Windows Security Log | Event ID 5140 — network share access to ADMIN$ or C$ |
| PsExec process from ADMIN$ | Windows Security Log — Event ID 4688 | Process executing from C:\Windows\ADMIN$\*.exe |
| PsExec SMB connection | Sysmon Event ID 3 (analyze with Wireshark) | SMB (port 445) connection from remote host |
SPL query — PsExec detection:
index=windows sourcetype="WinEventLog:System" EventCode=7045
| search ServiceName="PSEXESVC" OR ServiceName="psexec"
| eval alert = "CRITICAL — PsExec service installed on " . Computer
| table _time, Computer, ServiceName, ImagePath, alertSMB Lateral Movement / Pass-the-Hash (T1021.002, T1550.002)
| Detection Signal | Log Source | Event ID / Indicator |
|---|---|---|
| NTLM authentication (pass-the-hash) | Windows Security Log | Event ID 4776 — NTLM authentication with NTLM hash (not password) |
| SMB share access from unusual user | Windows Security Log | Event ID 5140 — network share accessed by non-administrative user |
| SMB file copy | Sysmon Event ID 11 | File creation on remote shares (\\*\C$, \\*\ADMIN$) |
| Multiple SMB logons from same source | Windows Security Log | Event ID 4624 — LogonType = 3 (Network) from same source to multiple destinations |
SSH Lateral Movement (Linux)
| Detection Signal | Log Source | Indicator |
|---|---|---|
| SSH login from unusual source | /var/log/auth.log or /var/log/secure | Accepted publickey or Accepted password from non-standard IP |
| SSH key-based persistence | .ssh/authorized_keys | Unexpected SSH keys added to user’s authorized_keys |
| SSH outbound to internal ranges | Firewall logs | Outbound SSH (port 22) to internal servers |
Phase 2: Containment (15-30 minutes)
Immediate Actions — Regardless of Movement Type
- Isolate the compromised host — disable network on the origin host (not just the destination)
- Block the lateral movement path — create firewall rules between subnets if segmentation is weak
- Disable the compromised user account — the attacker is using stolen credentials
- Revoke Kerberos tickets for the compromised user —
klist purgeorInvoke-KerberosTicketPurge
Technique-Specific Containment
| Movement Type | Specific Containment |
|---|---|
| RDP | Temporarily disable RDP on affected hosts, restrict RDP source IPs at firewall |
| WMI | Block WMI (DCOM port 135, RPC dynamic ports 49152-65535) at firewall |
| PsExec | Remove ADMIN$ share temporarily, block SMB port 445 between segments |
| SMB Pass-the-Hash | Force Kerberos authentication — disable NTLM via GPO (Network security: Restrict NTLM) |
| SSH | Rotate SSH keys, disable password authentication, restrict SSH to bastion hosts |
Phase 3: Trace the Movement Path (30-60 minutes)
Step 1 — Build the Lateral Movement Chain
Identify every host the attacker touched:
Initial Compromise: HOST_A (10.0.1.5)
↓ RDP (LogonType 10) via user jdoe
HOST_B (10.0.2.10)
↓ WMI (WmiPrvSE.exe → powershell.exe)
HOST_C (10.0.2.20)
↓ PsExec (Service: PSEXESVC)
HOST_D — Domain Controller (10.0.100.5)Step 2 — Collect Evidence Per Host
| Evidence | Collection Method | What It Reveals |
|---|---|---|
| Security Event Log | wevtutil epl Security collected.evtx | Auth events, logon types, failed logins |
| Sysmon logs | Path: C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx | Process creation, network, file, named pipes |
| Prefetch files | C:\Windows\Prefetch\*.pf | Executed tools (mimikatz, psexec, powershell) |
| Recent files | C:\Users\*\Recent\* | Files opened by attacker |
| Network connections | NetStat / Sysmon Event ID 3 | Outbound connections to C2, lateral movement targets |
| Command history | PowerShell Get-History, $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt | Commands executed by attacker |
Phase 4: Detection Query Reference
Find All Lateral Movement in a Time Window
SPL — comprehensive lateral movement detection:
index=windows (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Sysmon" OR sourcetype="WinEventLog:System")
| eval movement_type =
if(EventCode=4624 AND LogonType=10, "RDP") .
if(EventCode=4624 AND LogonType=3 AND SourceIp!="", "SMB/Network") .
if(EventCode=4688 AND ParentProcessName="*WmiPrvSE*", "WMI") .
if(EventCode=7045 AND ServiceName="PSEXESVC", "PsExec") .
if(EventCode=5140 AND ShareName="ADMIN$", "ADMIN$ Share")
| where movement_type != ""
| eval alert = "LATERAL MOVEMENT: " . movement_type . " — " . " from " . coalesce(SourceIp, "local") . " on " . Computer
| table _time, Computer, SourceIp, Account_Name, movement_type, alert
| sort - _timeNetwork-Based Detection — Multiple Logons from Same Source
index=windows sourcetype="WinEventLog:Security" EventCode=4624
| stats dc(Computer) as unique_hosts, values(Computer) as hosts_accessed by SourceIp, Account_Name, bin(_time, 1h)
| where unique_hosts > 3
| eval alert = Account_Name . " accessed " . unique_hosts . " hosts from " . SourceIp . " in 1 hour — lateral movement pattern"
| table _time, SourceIp, Account_Name, unique_hosts, hosts_accessed, alert
| sort - unique_hostsPhase 5: Recovery and Hardening
| Control | What It Prevents | Deployment Effort |
|---|---|---|
| Enable Credential Guard | Pass-the-hash, Kerberos ticket theft | GPO — Windows 10/11 Enterprise |
| Disable NTLM (Kerberos only) | Pass-the-hash, NTLM relay | GPO — test for compatibility first |
| Network segmentation | Limits blast radius of lateral movement | Infrastructure change — medium effort |
| Just Enough Administration (JEA) | Restrict WMI/RDP/PsExec to specific admin hosts | PowerShell Desired State Configuration |
| Local admin password rotation (LAPS) | Prevents pass-the-hash reuse of local admin passwords | GPO + LAPS client |
| Session recording | Records RDP/SSH sessions for forensic review | Third-party tool (CyberArk, BeyondTrust) |
Related
- Common Ports and Protocols — covers the common ports and protocols concepts
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques
- Indicators: IoC, IoA, and TTP — covers the indicators: ioc, ioa, and ttp concepts
- Log Sources Overview — covers the log sources overview concepts
- MITRE ATT&CK for Triage — covers the mitre att&ck for triage concepts