Lateral Movement

Name	Technique	Tactic
Active Directory Kerberos Attacks	Password Spraying, Brute Force	Credential Access
Insider Threat	Password Spraying, Brute Force	Credential Access
Living Off The Land	Trusted Developer Utilities Proxy Execution, MSBuild	Defense Evasion
Snake Malware	Kernel Modules and Extensions, Service Execution	Persistence
Sneaky Active Directory Persistence Tricks	Security Support Provider, Boot or Logon Autostart Execution	Persistence

VMWare Aria Operations Exploit Attempt

External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation

Executable File Written in Administrative SMB Share

Remote Services, SMB/Windows Admin Shares

Executable File Written in Administrative SMB Share

Remote Services, SMB/Windows Admin Shares

Impacket Lateral Movement WMIExec Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Impacket Lateral Movement WMIExec Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Impacket Lateral Movement WMIExec Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Impacket Lateral Movement smbexec CommandLine Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Impacket Lateral Movement smbexec CommandLine Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Impacket Lateral Movement smbexec CommandLine Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Impacket Lateral Movement Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Impacket Lateral Movement Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Impacket Lateral Movement Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Windows Steal Authentication Certificates - ESC1 Authentication

Steal or Forge Authentication Certificates, Use Alternate Authentication Material

Enable RDP In Other Port Number

Remote Services

Active Directory Lateral Movement Identified

Exploitation of Remote Services

Windows RDP Connection Successful

RDP Hijacking

Possible Lateral Movement PowerShell Spawn

Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...

Possible Lateral Movement PowerShell Spawn

Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...

Possible Lateral Movement PowerShell Spawn

Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...

Windows Service Create with Tscon

RDP Hijacking, Remote Service Session Hijacking, Windows Service

Windows Service Create with Tscon

RDP Hijacking, Remote Service Session Hijacking, Windows Service

Allow Inbound Traffic By Firewall Rule Registry

Remote Desktop Protocol, Remote Services

Allow Inbound Traffic By Firewall Rule Registry

Remote Desktop Protocol, Remote Services

Windows Special Privileged Logon On Multiple Hosts

Account Discovery, SMB/Windows Admin Shares, Network Share Discovery

Windows Lateral Tool Transfer RemCom

Lateral Tool Transfer

Okta Multiple Failed Requests to Access Applications

Web Session Cookie, Cloud Service Dashboard

Linux SSH Remote Services Script Execute

SSH

Windows Replication Through Removable Media

Replication Through Removable Media

Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature

Exploitation of Remote Services

Splunk Code Injection via custom dashboard leading to RCE

Exploitation of Remote Services

Windows Protocol Tunneling with Plink

Protocol Tunneling, SSH

Windows Remote Service Rdpwinst Tool Execution

Remote Desktop Protocol, Remote Services

Windows Remote Service Rdpwinst Tool Execution

Remote Desktop Protocol, Remote Services

Windows Remote Services Allow Remote Assistance

Remote Desktop Protocol, Remote Services

Windows Remote Services Allow Remote Assistance

Remote Desktop Protocol, Remote Services

Windows Remote Services Allow Rdp In Firewall

Remote Desktop Protocol, Remote Services

Windows Remote Services Allow Rdp In Firewall

Remote Desktop Protocol, Remote Services

Windows Remote Services Rdp Enable

Remote Desktop Protocol, Remote Services

Windows Remote Services Rdp Enable

Remote Desktop Protocol, Remote Services

Remote Process Instantiation via DCOM and PowerShell Script Block

Remote Services, Distributed Component Object Model

Remote Process Instantiation via DCOM and PowerShell Script Block

Remote Services, Distributed Component Object Model

Interactive Session on Remote Endpoint with PowerShell

Remote Services, Windows Remote Management

Interactive Session on Remote Endpoint with PowerShell

Remote Services, Windows Remote Management

Remote Process Instantiation via WinRM and PowerShell Script Block

Remote Services, Windows Remote Management

Remote Process Instantiation via WinRM and PowerShell Script Block

Remote Services, Windows Remote Management

Unknown Process Using The Kerberos Protocol

Use Alternate Authentication Material

Kerberos TGT Request Using RC4 Encryption

Use Alternate Authentication Material

Rubeus Kerberos Ticket Exports Through Winlogon Access

Use Alternate Authentication Material, Pass the Ticket

Rubeus Kerberos Ticket Exports Through Winlogon Access

Use Alternate Authentication Material, Pass the Ticket

Rubeus Command Line Parameters

Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting

Rubeus Command Line Parameters

Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting

Mimikatz PassTheTicket CommandLine Parameters

Use Alternate Authentication Material, Pass the Ticket

Mimikatz PassTheTicket CommandLine Parameters

Use Alternate Authentication Material, Pass the Ticket

Mmc LOLBAS Execution Process Spawn

Remote Services, Distributed Component Object Model, MMC

Mmc LOLBAS Execution Process Spawn

Remote Services, Distributed Component Object Model, MMC

Wsmprovhost LOLBAS Execution Process Spawn

Remote Services, Windows Remote Management

Wsmprovhost LOLBAS Execution Process Spawn

Remote Services, Windows Remote Management

Remote Process Instantiation via WinRM and PowerShell

Remote Services, Windows Remote Management

Remote Process Instantiation via WinRM and PowerShell

Remote Services, Windows Remote Management

Remote Process Instantiation via DCOM and PowerShell

Remote Services, Distributed Component Object Model

Remote Process Instantiation via DCOM and PowerShell

Remote Services, Distributed Component Object Model

Remote Process Instantiation via WinRM and Winrs

Remote Services, Windows Remote Management

Remote Process Instantiation via WinRM and Winrs

Remote Services, Windows Remote Management

Detect PsExec With accepteula Flag

Remote Services, SMB/Windows Admin Shares

Detect PsExec With accepteula Flag

Remote Services, SMB/Windows Admin Shares

Allow Inbound Traffic In Firewall Rule

Remote Desktop Protocol, Remote Services

Allow Inbound Traffic In Firewall Rule

Remote Desktop Protocol, Remote Services

Detect Activity Related to Pass the Hash Attacks

Use Alternate Authentication Material, Pass the Hash

Detect Activity Related to Pass the Hash Attacks

Use Alternate Authentication Material, Pass the Hash

Detect Computer Changed with Anonymous Account

Exploitation of Remote Services

aws detect sts get session token abuse

Use Alternate Authentication Material

SMB Traffic Spike - MLTK

SMB/Windows Admin Shares, Remote Services

SMB Traffic Spike - MLTK

SMB/Windows Admin Shares, Remote Services

SMB Traffic Spike

SMB/Windows Admin Shares, Remote Services

SMB Traffic Spike

SMB/Windows Admin Shares, Remote Services

Remote Desktop Process Running On System

Remote Desktop Protocol, Remote Services

Remote Desktop Process Running On System

Remote Desktop Protocol, Remote Services

Remote Desktop Network Bruteforce

Remote Desktop Protocol, Remote Services

Remote Desktop Network Bruteforce

Remote Desktop Protocol, Remote Services

Detection of tools built by NirSoft

Software Deployment Tools

Remote Desktop Network Traffic

Remote Desktop Protocol, Remote Services

Remote Desktop Network Traffic

Remote Desktop Protocol, Remote Services