Detecting Lateral Movement: 5 Opportunities to Stop Cyberattacks in Their Tracks

Advanced threat actors today treat bypassing your perimeter defenses as a formality, dedicating their resources entirely to the post-compromise phase, where their ability to move throughout your network undetected determines success. As ransomware payouts skyrocket, threat actors are dedicating substantial resources to increasing the amount of time that they can move laterally throughout your network.

Traditional perimeter defenses are porous, making it very easy for threat actors to gain their initial foothold. Once inside, adversaries are able to move laterally to escalate privileges.

From there, they can access your valuable information and deploy malicious payloads under the cover of legitimate network operations. As your security teams struggle to separate malicious traffic from normal operational activity, threat actors can maximize the financial or strategic impact of the breach.

By actively looking for specific, high-fidelity warning signs, you can pinpoint lateral movement, and isolate and contain the threat while it is still in motion.

Detecting PowerShell Misuse

One of the most insidious methods of lateral movement involves turning PowerShell, a native administration feature, into a weapon. Threat actors often exploit PowerShell, which lets your admins control, script, and automate tasks across many machines at-scale, as a stealthy attack channel to execute commands across multiple systems. An adversary favorite because of its legitimate use cases, PowerShell utilizes encryption to securely handle sensitive data, making the activity invisible to your tools that do not fully decrypt traffic.

Because PowerShell commands can easily look like routine system maintenance (normal activity), attackers often remain hidden, allowing them to freely pivot between your machines and escalate access without raising network alarms.

To prevent threat actors from using PowerShell to escalate privileges and gain administrative control, your security teams must be able to decrypt and decode encrypted traffic. By establishing a baseline of expected activity for all users and endpoints to identify deviations from “normal,” they can also automate responses when the system identifies malicious patterns within a PowerShell stream.

Learn how ExtraHop detects PowerShell Remoting and DCOM Remote Command Launch Attempt.

Detecting Impacket Misuse

Threat actors often weaponize Impacket, a powerful open-source toolkit, to manipulate critical Windows network protocols, such as MS-RPC, SMB, and WMI.

Attackers use the Impacket as a remote control, allowing them to seamlessly move the execution path from the compromised machine to any other server on your network. The attacker is then able to manipulate services using stolen credentials, establishing a deeper presence.

Your security teams need to monitor for indicators of compromise, audit high-privilege accounts, and analyze behavior for anomalies. These actions are essential to prevent lateral movement, unauthorized privilege escalation, credential abuse, and the deployment of ransomware or other malware across your network.

Learn how ExtraHop detects Impacket WMIExec Activity and Impacket SMBExec Activity.

Detecting Kerberos Misuse

Attackers often achieve a persistent, undetectable presence by exploiting Kerberos, the default authentication service for Microsoft Active Directory domains. By leveraging Kerberos, attackers are able to enact legitimate-looking golden tickets, silver tickets, or pass-the-ticket attacks.

Forged tickets allow attackers to impersonate any user and access any system, enabling them to move laterally across your environment – as every system automatically trusts the forged tickets – without generating the authentication checks that would normally expose malicious activity.

To prevent undetected lateral movement, domain-wide access, data exfiltration, and long-term persistence, your security teams need to detect these types of attacks early on by monitoring Kerberos ticket requests and applying behavioral analysis to detect anomalous ticket usage.

Learn how ExtraHop detects Kerberos Golden Ticket Attacks and Kerberos Silver Ticket Attacks.

Detecting Active Directory (AD) Abuse

Attackers often target Active Directory, the centralized identity and access management core for nearly every modern enterprise network, to harvest credentials. Those credentials allow attackers to move laterally while masquerading as legitimate users, permitting immediate access to systems and data across your network.

To stop attackers before they gain domain-wide access, exfiltrate sensitive information and compromise high-value systems, your security teams must continuously monitor authentication and privilege changes, audit suspicious LDAP queries, and apply behavioral analytics. From there, they can automate containment and response, ultimately minimizing attacker dwell time and containing the blast radius.

Learn how ExtraHop detects Kerberoasting Activity and Abnormal LDAP Queries.

Detecting Behavioral Anomalies

Threat actors may also directly manipulate identity and access mechanisms to expand their control. For instance, threat actors may log in during off-hours, connect from unusual locations, and/or access services that legitimate users rarely touch.

When attackers weaponize exploited accounts and compromised login credentials to move between systems like digital ghosts, they’re able to operate below the threshold of noise detected by traditional security tools, exposing a critical detection gap that leads to extended dwell time.

You must prioritize early detection of behavioral anomalies to stop attacks before they reach domain controllers, sensitive data stores, or production systems. Your teams can distinguish malicious activity from legitimate activity by correlating network and identity telemetry and they should apply behavioral analytics to separate benign anomalies from malicious ones. Additionally, they must conduct packet-level forensics for each alert warranting additional investigation to understand the scope of the malicious activity. Finally, they should automate alert triage for off-hours or atypical login activity, especially for your privileged or influential users.

Learn how ExtraHop detects Network Privilege Escalation and Unusual Login Times. 

Stop Lateral Movement in its Tracks

Your security team can detect lateral movement before threat actors can achieve their objectives. All you have to do is take advantage of the intelligence that’s already in your network.

Explore our full detections catalog to see how ExtraHop surfaces critical lateral movement behaviors in real-time.