Lateral Movement Detection Rules
The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target, then pivoting through multiple systems and accounts to gain access to it. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
df00tech ships 28 production-ready detection rules mapped to the Lateral Movement tactic (TA0008). Each rule below includes copy-paste queries for Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL), QRadar, Sumo Logic, Chronicle and LogScale, with data-source requirements, severity and false-positive guidance — free to use.
Lateral Movement detections (28)
- CVE-2024-3400 Palo Alto PAN-OS GlobalProtect Command Injection (Operation MidnightEclipse)
- T1021 Remote Services
- T1021.001 Remote Desktop Protocol
- T1021.002 SMB/Windows Admin Shares
- T1021.003 Distributed Component Object Model
- T1021.004 SSH
- T1021.005 VNC
- T1021.006 Windows Remote Management
- T1021.007 Cloud Services
- T1021.008 Direct Cloud VM Connections
- T1051 Shared Webroot
- T1072 Software Deployment Tools
- T1080 Taint Shared Content
- T1091 Replication Through Removable Media
- T1175 Component Object Model and Distributed COM
- T1210 Exploitation of Remote Services
- T1534 Internal Spearphishing
- T1550 Use Alternate Authentication Material
- T1550.001 Application Access Token
- T1550.002 Pass the Hash
- T1550.003 Pass the Ticket
- T1550.004 Web Session Cookie
- T1563 Remote Service Session Hijacking
- T1563.001 SSH Hijacking
- T1563.002 RDP Hijacking
- T1570 Lateral Tool Transfer
- THREAT-LateralMovement-SMBPsExec Lateral Movement via SMB and PsExec-Style Remote Execution
- THREAT-Ransomware-StagingIndicators Ransomware Pre-Deployment Staging Indicators