GitHub Repo

Lateral Movement Detections

Name Data Source Technique Type Analytic Story Date
Splunk Code Injection via custom dashboard leading to RCE T1210 Hunting Splunk Vulnerabilities 2026-05-14
Splunk RCE PDFgen Render Splunk T1210 TTP Splunk Vulnerabilities 2026-05-14
Splunk RCE Through Arbitrary File Write to Windows System Root Splunk T1210 Hunting Splunk Vulnerabilities 2026-05-14
Splunk App for Lookup File Editing RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2026-05-14
Splunk RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2026-05-14
Windows Excel Spawning Microsoft Project Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.003 Anomaly PathWiper 2026-05-13
Windows AD Suspicious Attribute Modification Windows Event Log Security 5136 T1222.001 T1550 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows RDP Bitmap Cache File Creation Sysmon EventID 11 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Remote Management Execute Shell Sysmon EventID 1, Windows Event Log Security 4688 T1021.006 Anomaly Crypto Stealer 2026-05-13
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Prestige Ransomware, Graceful Wipe Out Attack, Data Destruction, Industroyer2, Compromised Windows Host, CISA AA22-277A, Volt Typhoon, WhisperGate, Storm-0501 Ransomware, Active Directory Lateral Movement, Gozi Malware 2026-05-13
Windows Azure PowerShell Module Installation Via PowerShell Script Powershell Script Block Logging 4104 T1021.007 T1069.003 T1078 T1098 T1136.003 Anomaly Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
Remote Process Instantiation via WinRM and Winrs CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows Default RDP File Creation By Non MSTSC Process Sysmon EventID 1, Sysmon EventID 11 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Enable RDP In Other Port Number Sysmon EventID 13 T1021 TTP Windows Registry Abuse, Prohibited Traffic Allowed or Protocol Mismatch, Interlock Ransomware, Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows SpeechRuntime COM Hijacking DLL Load Sysmon EventID 7 T1021.003 TTP Active Directory Lateral Movement, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Windows Process Execution From RDP Share CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 T1059 T1105 Anomaly Hidden Cobra Malware 2026-05-13
Linux SSH Remote Services Script Execute Sysmon for Linux EventID 1 T1021.004 TTP Hellcat Ransomware, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land 2026-05-13
Windows Replication Through Removable Media Sysmon EventID 11 T1091 TTP Chaos Ransomware, China-Nexus Threat Activity, PlugX, APT37 Rustonotto and FadeStealer, Derusbi, Salt Typhoon, NjRAT 2026-05-13
Rubeus Kerberos Ticket Exports Through Winlogon Access Sysmon EventID 10 T1550.003 TTP ZOVWiper, Active Directory Kerberos Attacks, BlackSuit Ransomware, Scattered Lapsus$ Hunters, CISA AA23-347A 2026-05-13
Windows Default Rdp File Unhidden Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows RDP Server Registry Entry Created Sysmon EventID 13 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows RDP Client Launched with Admin Session Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Prestige Ransomware, Graceful Wipe Out Attack, Data Destruction, Industroyer2, Compromised Windows Host, CISA AA22-277A, Volt Typhoon, WhisperGate, Active Directory Lateral Movement 2026-05-13
Rubeus Command Line Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1550.003 T1558.003 T1558.004 TTP Active Directory Privilege Escalation, Active Directory Kerberos Attacks, ZOVWiper, BlackSuit Ransomware, Scattered Lapsus$ Hunters, CISA AA23-347A 2026-05-13
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Prestige Ransomware, Graceful Wipe Out Attack, Data Destruction, Industroyer2, Compromised Windows Host, CISA AA22-277A, Volt Typhoon, WhisperGate, Storm-0501 Ransomware, Active Directory Lateral Movement, Gozi Malware 2026-05-13
Windows Remote Services Allow Rdp In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Azorult 2026-05-13
Windows Steal Authentication Certificates - ESC1 Authentication Windows Event Log Security 4768, Windows Event Log Security 4887 T1550 T1649 TTP Compromised Windows Host, Windows Certificate Services 2026-05-13
Remote Process Instantiation via DCOM and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.003 TTP Active Directory Lateral Movement, Compromised Windows Host 2026-05-13
Windows Process Executed From Removable Media Sysmon EventID 13, Sysmon EventID 1 T1025 T1091 T1200 Anomaly APT37 Rustonotto and FadeStealer, Data Protection 2026-05-13
Windows Suspicious Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 TTP Hellcat Ransomware, BlackByte Ransomware, Brute Ratel C4, Meterpreter, Cobalt Strike, APT37 Rustonotto and FadeStealer, Graceful Wipe Out Attack, LockBit Ransomware, Remote Monitoring and Management Software, DarkSide Ransomware, Trickbot, Tuoni, Gozi Malware 2026-05-13
Mmc LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.003 T1218.014 TTP Living Off The Land, Active Directory Lateral Movement, Water Gamayun, XML Runner Loader 2026-05-13
Detect Computer Changed with Anonymous Account Windows Event Log Security 4742 T1210 Hunting Detect Zerologon Attack 2026-05-13
Windows RDP Login Session Was Established Windows Event Log Security 4624 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters 2026-05-13
Allow Inbound Traffic By Firewall Rule Registry Sysmon EventID 13 T1021.001 TTP Windows Registry Abuse, PlugX, Azorult, Medusa Ransomware, Prohibited Traffic Allowed or Protocol Mismatch, NjRAT 2026-05-13
Windows Special Privileged Logon On Multiple Hosts Windows Event Log Security 4672 T1021.002 T1087 T1135 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host 2026-05-13
Windows SpeechRuntime Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.003 TTP Active Directory Lateral Movement, Compromised Windows Host 2026-05-13
Mimikatz PassTheTicket CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1550.003 TTP Active Directory Kerberos Attacks, Sandworm Tools, CISA AA22-320A, Scattered Lapsus$ Hunters, CISA AA23-347A 2026-05-13
Windows WPDBusEnum Registry Key Modification Sysmon EventID 13, Sysmon EventID 12 T1025 T1091 T1200 Anomaly APT37 Rustonotto and FadeStealer, Data Protection 2026-05-13
Detect PsExec With accepteula Flag CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 TTP Rhysida Ransomware, Sandworm Tools, BlackByte Ransomware, VanHelsing Ransomware, CISA AA22-320A, Seashell Blizzard, IcedID, DarkSide Ransomware, DarkGate Malware, Volt Typhoon, Medusa Ransomware, HAFNIUM Group, Storm-0501 Ransomware, Active Directory Lateral Movement, Cactus Ransomware, DHS Report TA18-074A, SamSam Ransomware 2026-05-13
Windows Remote Services Allow Remote Assistance Sysmon EventID 13 T1021.001 Anomaly Azorult 2026-05-13
Windows Remote Host Computer Management Access Sysmon EventID 1, Windows Event Log Security 4688 T1021.006 Anomaly Medusa Ransomware 2026-05-13
Windows Remote Services Rdp Enable Sysmon EventID 13 T1021.001 TTP BlackSuit Ransomware, Windows RDP Artifacts and Defense Evasion, Azorult, Medusa Ransomware 2026-05-13
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003 Anomaly CISA AA24-241A, Scheduled Tasks, Hermetic Wiper, Data Destruction, Malicious PowerShell, Active Directory Lateral Movement, Microsoft WSUS CVE-2025-59287 2026-05-13
Active Directory Lateral Movement Identified T1210 Correlation Active Directory Lateral Movement 2026-05-13
Windows Process With NetExec Command Line Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1550.003 T1558.003 T1558.004 TTP Active Directory Privilege Escalation, Active Directory Kerberos Attacks 2026-05-13
Detection of tools built by NirSoft CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1072 Anomaly Emotet Malware DHS Report TA18-201A 2026-05-13
Interactive Session on Remote Endpoint with PowerShell Powershell Script Block Logging 4104 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows RDP Connection Successful Windows Event Log RemoteConnectionManager 1149 T1563.002 Hunting BlackByte Ransomware, Windows RDP Artifacts and Defense Evasion, NetSupport RMM Tool Abuse, Active Directory Lateral Movement, Interlock Ransomware 2026-05-13
Allow Inbound Traffic In Firewall Rule Powershell Script Block Logging 4104 T1021.001 TTP NetSupport RMM Tool Abuse, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
Kerberos TGT Request Using RC4 Encryption Windows Event Log Security 4768 T1550 TTP Scattered Lapsus$ Hunters, Active Directory Kerberos Attacks 2026-05-13
Remote Desktop Process Running On System CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 Hunting Active Directory Lateral Movement, Hidden Cobra Malware, Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Suspicious C2 Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 TTP Hellcat Ransomware, BlackByte Ransomware, Brute Ratel C4, Meterpreter, APT37 Rustonotto and FadeStealer, Cobalt Strike, Graceful Wipe Out Attack, LockBit Ransomware, Remote Monitoring and Management Software, DarkSide Ransomware, Trickbot, Tuoni, Storm-0501 Ransomware, Gozi Malware 2026-05-13
Remote Process Instantiation via DCOM and PowerShell Script Block Powershell Script Block Logging 4104 T1021.003 TTP Active Directory Lateral Movement 2026-05-13
Windows RMM Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 Anomaly Scattered Spider, CISA AA24-241A, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Gozi Malware, GhostRedirector IIS Module and Rungan Backdoor, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Interlock Ransomware 2026-05-13
Windows USBSTOR Registry Key Modification Sysmon EventID 13, Sysmon EventID 12 T1025 T1091 T1200 Anomaly APT37 Rustonotto and FadeStealer, Data Protection 2026-05-13
Windows PuTTY Suite Utility Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.004 Anomaly Command And Control, Active Directory Lateral Movement 2026-05-13
Remote Process Instantiation via WinRM and PowerShell Script Block Powershell Script Block Logging 4104 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows Protocol Tunneling with Plink CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.004 T1572 TTP CISA AA22-257A 2026-05-13
Windows Theme File Creation in Unusual Location Sysmon EventID 11 T1021.002 T1187 T1557.001 Anomaly Spearphishing Attachments 2026-05-13
Windows PUA Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 Anomaly Rhysida Ransomware, BlackByte Ransomware, Sandworm Tools, VanHelsing Ransomware, CISA AA22-320A, Seashell Blizzard, IcedID, DarkGate Malware, DarkSide Ransomware, Volt Typhoon, HAFNIUM Group, Medusa Ransomware, Active Directory Lateral Movement, Cactus Ransomware, DHS Report TA18-074A, SamSam Ransomware 2026-05-13
Powershell Remote Services Add TrustedHost Powershell Script Block Logging 4104 T1021.006 TTP DarkGate Malware 2026-05-13
Windows MSTSC RDP Commandline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Medusa Ransomware 2026-05-13
Windows Remote Service Rdpwinst Tool Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 TTP Windows RDP Artifacts and Defense Evasion, Azorult, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Executable File Written in Administrative SMB Share Windows Event Log Security 5145 T1021.002 TTP Prestige Ransomware, Graceful Wipe Out Attack, Data Destruction, Industroyer2, Compromised Windows Host, BlackSuit Ransomware, IcedID, Hermetic Wiper, Trickbot, VanHelsing Ransomware, Active Directory Lateral Movement 2026-05-13
Windows Service Create with Tscon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1543.003 T1563.002 TTP Active Directory Lateral Movement, Compromised Windows Host, Windows RDP Artifacts and Defense Evasion 2026-05-13
Remote Process Instantiation via WinRM and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Unknown Process Using The Kerberos Protocol Sysmon EventID 1, Sysmon EventID 3 T1550 TTP BlackSuit Ransomware, Active Directory Kerberos Attacks 2026-05-13
Wsmprovhost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.006 TTP Hellcat Ransomware, Active Directory Lateral Movement, CISA AA24-241A 2026-05-13
Windows RDP File Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 T1598.002 TTP Spearphishing Attachments, Interlock Ransomware, Windows RDP Artifacts and Defense Evasion 2026-05-13
VMWare Aria Operations Exploit Attempt Palo Alto Network Threat T1068 T1133 T1190 T1210 TTP VMware Aria Operations vRealize CVE-2023-20887 2026-05-13
ESXi Shell Access Enabled VMWare ESXi Syslog T1021 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
ESXi SSH Enabled VMWare ESXi Syslog T1021.004 TTP Hellcat Ransomware, Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta Multiple Failed Requests to Access Applications Okta T1538 T1550.004 Hunting Okta Account Takeover 2026-05-13
Microsoft Intune Device Health Scripts Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Microsoft Intune Mobile Apps Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Microsoft Intune Manual Device Management Azure Monitor Activity T1021.007 T1072 T1529 Hunting Azure Active Directory Account Takeover 2026-05-13
AWS Bedrock Invoke Model Access Denied AWS CloudTrail T1078 T1550 TTP AWS Bedrock Security 2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies Azure Monitor Activity T1021.007 T1072 T1484 T1685 T1686 Hunting Azure Active Directory Account Takeover 2026-05-13
Remote Desktop Network Traffic Zeek Conn T1021.001 Anomaly Active Directory Lateral Movement, Hidden Cobra Malware, Windows RDP Artifacts and Defense Evasion, SamSam Ransomware, Ryuk Ransomware 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Static Tundra Smart Install Abuse Cisco Secure Firewall Threat Defense Intrusion Event T1190 T1210 T1499 TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Cisco Network Interface Modifications Cisco IOS Logs T1021 T1133 T1556 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Cisco Secure Firewall Threat Defense Intrusion Event T1003.001 T1059.001 T1190 T1210 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1190 T1204 T1210 TTP Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
SMB Traffic Spike T1021.002 Anomaly DHS Report TA18-074A, Hidden Cobra Malware, Ransomware, Emotet Malware DHS Report TA18-201A 2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13