name: detecting-lateral-movement-with-splunk
description: Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs,
SMB traffic, and remote service abuse.
domain: cybersecurity
subdomain: threat-hunting
tags:
- threat-hunting
- mitre-attack
- lateral-movement
- splunk
- siem
- proactive-detection
- ta0008
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Network Traffic Community Deviation
nist_csf:
- DE.CM-01
- DE.AE-02
- DE.AE-07
- ID.RA-05
Detecting Lateral Movement with Splunk
When to Use
- When hunting for adversary movement between compromised systems
- After detecting credential theft to trace subsequent lateral activity
- When investigating unusual authentication patterns across the network
- During incident response to scope the breadth of compromise
- When proactively hunting for TA0008 (Lateral Movement) techniques
Detection Gaps & Validation
- Coverage is the biggest gap. 4624 Type 3/10 analysis only works if WEF collects from all endpoints, not just DCs. Most missed lateral movement is on member servers and workstations whose Security logs were never forwarded — verify ingestion per host class with
| tstats count by host.
- Pass-the-Hash uses cached creds, not 4648. Over-relying on 4648 (explicit credential logon) misses PtH, which appears as 4624 Type 3 with
AuthenticationPackageName=NTLM and LogonProcessName=seclogo against systems that should use Kerberos.
- Auth without execution context misses WMI/DCOM. T1047 lands as a 4624 plus a
wmiprvse.exe child (Sysmon EID 1); correlate the logon to subsequent process creation. WinRM shows wsmprovhost.exe (5985/5986); PsExec drops the PSEXESVC service (7045) and hits ADMIN$ (5145).
- Baseline maturity: first-time source→destination pair detection throws false-positive storms right after deployment until enough history accrues.
- Validate the rule fires: run
PsExec \\host cmd and Enter-PSSession host from a test box and confirm the 4624 Type 3 + 7045/wsmprovhost.exe queries return your activity.
- Tune false positives: vulnerability scanners, SCCM, and admin jump hosts authenticate broadly by design. Allowlist their source IPs and service accounts before alerting on fan-out.
Prerequisites
- Splunk Enterprise or Splunk Cloud with Windows event data ingested
- Windows Security Event Logs forwarded (4624, 4625, 4648, 4672, 4768, 4769)
- Sysmon deployed for process creation and network connection data
- Network flow data or firewall logs for SMB/RDP/WinRM correlation
- Active Directory user and group membership reference data
Workflow
- Define Lateral Movement Scope: Identify which lateral movement techniques to hunt (RDP, SMB/Admin Shares, WinRM, PsExec, WMI, DCOM, SSH).
- Query Authentication Events: Use SPL to search for Type 3 (Network) and Type 10 (RemoteInteractive) logons across the environment.
- Build Authentication Graphs: Map source-to-destination authentication relationships to identify unusual connection patterns.
- Detect First-Time Relationships: Identify new source-destination pairs that have not been seen in the historical baseline.
- Correlate with Process Activity: Link authentication events to subsequent process creation on destination hosts.
- Identify Anomalous Patterns: Flag lateral movement to sensitive servers, unusual hours, service account misuse, or rapid multi-host access.
- Report and Contain: Document lateral movement path, affected systems, and coordinate containment response.
Key Concepts
| Concept |
Description |
| T1021 |
Remote Services (parent technique) |
| T1021.001 |
Remote Desktop Protocol (RDP) |
| T1021.002 |
SMB/Windows Admin Shares |
| T1021.003 |
Distributed COM (DCOM) |
| T1021.004 |
SSH |
| T1021.006 |
Windows Remote Management (WinRM) |
| T1570 |
Lateral Tool Transfer |
| T1047 |
Windows Management Instrumentation |
| T1569.002 |
Service Execution (PsExec) |
| Logon Type 3 |
Network logon (SMB, WinRM, mapped drives) |
| Logon Type 10 |
Remote Interactive (RDP) |
| Event ID 4624 |
Successful logon |
| Event ID 4648 |
Explicit credential logon (runas, PsExec) |
Tools & Systems
| Tool |
Purpose |
| Splunk Enterprise |
SIEM for log aggregation and SPL queries |
| Splunk Enterprise Security |
Threat detection and notable events |
| Windows Event Forwarding |
Centralize Windows logs |
| Sysmon |
Detailed process and network telemetry |
| BloodHound |
AD attack path analysis |
| PingCastle |
AD security assessment |
Common Scenarios
- PsExec Lateral Movement: Adversary uses PsExec to execute commands on remote systems via SMB, generating Type 3 logon with ADMIN$ share access.
- RDP Pivoting: Attacker RDPs to internal systems using stolen credentials, creating Type 10 logon events.
- WMI Remote Execution: Adversary uses WMIC process call create to spawn processes on remote hosts.
- WinRM PowerShell Remoting: Attacker uses Enter-PSSession or Invoke-Command to execute code on remote systems.
- Pass-the-Hash via SMB: Compromised NTLM hashes used to authenticate to remote systems without knowing the plaintext password.
Output Format
Hunt ID: TH-LATMOV-[DATE]-[SEQ]
Movement Type: [RDP/SMB/WinRM/WMI/DCOM/PsExec]
Source Host: [Hostname/IP]
Destination Host: [Hostname/IP]
Account Used: [Username]
Logon Type: [3/10/other]
First Seen: [Timestamp]
Event Count: [Number of events]
Risk Level: [Critical/High/Medium/Low]
Lateral Movement Path: [A -> B -> C -> D]
By