How to Detect Lateral Movement Before Attackers Reach Critical Assets

Security teams need to detect lateral movement, but the signals are scattered across identity providers, endpoints, cloud audit logs, and SaaS platforms, and any single signal in isolation falls below actionable thresholds. Attackers count on exactly that fragmentation. Hands-on-keyboard intrusions can be malware-free, with attackers using your own infrastructure as their primary tool.

TL;DR:

• Lateral movement has shifted from network exploitation to identity abuse, and the current attack model traverses endpoint, identity, cloud, and SaaS systems in a single chain.
• Single-source detection is structurally insufficient because lateral movement spans multiple telemetry domains at once, and each individual signal often looks benign without correlation across identity, endpoint, and cloud logs.
• Alert prioritization should be anchored to crown jewel proximity, because an RDP session from a web server to a domain controller carries different weight than workstation-to-workstation RDP even when the detection logic is identical.
• Speed across correlation, investigation, and response determines whether defenders can act, since the time from intrusion to ransomware can be shorter than any manual correlation window.

Lateral Movement Has Changed Faster Than Detection

The mental model most detection programs inherited treats lateral movement as a network problem: east-west traffic, SMB exploitation, pass-the-hash across Active Directory. That model is now incomplete to the point of being dangerous.

Modern lateral movement operates across identity and cloud boundaries, including SaaS. An attacker who vishes a help desk agent into resetting credentials, then pivots through SSO into a data warehouse, then escalates privileges in cloud IAM has completed lateral movement without touching the network layer. In some incidents, attackers have moved from initial access to ransomware deployment within hours.

1. Identity Is Now the Primary Lateral Movement Surface

Identity has become the dominant lateral movement surface. The Digital Defense Report recorded a 32% rise in identity-based attacks in the first half of 2025. While 97% of those attacks were password spray or brute force, the post-authentication techniques that matter for lateral movement are different. Token theft by malware and adversary-in-the-middle are two examples; attacks on MFA belong in the same post-authentication category.

This shift is clear from the telemetry mix in current intrusions. Defenders focused on lateral movement must prioritize identity telemetry over network telemetry for the majority of current attack paths.

2. Cross-Domain Traversal Is the Defining Pattern

Modern lateral movement often spans endpoint, identity, cloud, and unmanaged systems in a single attack chain. The Snowflake campaign demonstrated this at scale: infostealer infections on employee endpoints yielded cloud service credentials. Those credentials enabled broad compromise without any network-layer traversal. At least 79.7% of the Snowflake accounts the threat actor used had prior credential exposure, largely from historical infostealer infections.

3. Hybrid Infrastructure Creates Pivot Opportunities

The Storm-0501 campaign is the canonical hybrid pivot: attackers compromised Entra Connect Sync to traverse from on-premises Active Directory into Entra ID. They then implanted a federated domain backdoor that enabled persistent access and user impersonation, even after affected users reset their passwords. In response, Microsoft's Secure Future Initiative discontinued ADFS in its productivity environment and accelerated the migration off legacy planes to reduce this lateral movement risk.

Detection programs that treat on-premises AD and cloud identity as separate domains will miss these pivots.

Detection Engineering for Current Tradecraft

Effective lateral movement detection often requires correlating signals across multiple telemetry sources. The MITRE ATT&CK Network Connection Creation data component (DC0082) supports lateral movement detection. No single source carries the full picture on its own.

1. Identity and Authentication Telemetry

Windows Security Event Logs remain the foundational source for on-premises lateral movement. Foundational incident-response research on event-log analysis, first published in 2017, maps specific event IDs to the tools and commands attackers use to move between hosts, and those mappings still hold.

For pass-the-hash detection (T1550.002, MITRE DET0409): filter Event ID 4624 where Logon Type equals 3, Logon Process equals NtLmSsp, Authentication Package equals NTLM, and Key Length equals 0. NTLM can negotiate a 128-bit session key, and some security research associates certain anomalous NTLM logon patterns with pass-the-hash tools such as Mimikatz.

For Kerberoasting detection (T1558.003): filter Event ID 4769 where the Account Name does not end with $, the Service Name does not end with $, and the Ticket Encryption Type equals 0x17 (RC4-HMAC-MD5). The $ filters exclude machine accounts, which request service tickets as part of normal Active Directory operation, and RC4 stands out because legitimate modern requests use AES (0x11 or 0x12). This depends on a prerequisite: "Audit Kerberos Service Ticket Operations" must be enabled under Group Policy on Domain Controllers, since neither 4769 nor the related TGT-request event 4768 is audited by default.

For pass-the-ticket detection (T1550.003, MITRE DET0352): look for a TGS request (Event ID 4769) without a preceding TGT request (Event ID 4768) from the same source. Multiple systems using identical tickets is another strong signal.

2. Endpoint Telemetry for Tool-Based Movement

WMI remote execution (T1047) generates a distinctive signal: wmiprvse.exe spawns child processes on the destination host. The parent-child relationship is the thing to watch, particularly when child processes include cmd.exe or powershell.exe.

WinRM lateral movement sends the network connection through svchost.exe; it is not visible from wmiprvse.exe. Analytics that correlate wmiprvse.exe with network connections are incomplete for detecting WinRM-based WMI lateral movement, because WinRM makes the relevant network connections through a Windows service (such as svchost.exe) rather than the target-side wmiprvse.exe process alone.

For Impacket WMIexec, investigations of real incidents confirm the detection logic: parent process wmiprvse.exe, child process cmd.exe, command line containing cmd.exe /Q /c with redirection ending in 1> \\127.0.0.1\{share}\{output} 2>&1.

3. Cloud Lateral Movement Signals

In AWS environments, the AssumeRole event from sts.amazonaws.com in CloudTrail is a key indicator of cross-account lateral movement. A sessionContext.attributes.mfaAuthenticated value of false on high-privilege role assumptions is a primary detection signal.

A documented Lambda layer abuse chain shows an attacker creating a malicious layer in an external AWS account, granting permission for it to be used, then calling UpdateFunctionConfiguration in the victim account to attach that layer. The UpdateFunctionConfiguration event carried no known identity in the logs, so detection meant tracing the chain across role assumption and subsequent activity.

For Entra ID, some lateral movement techniques can produce little or no useful logging when tokens are issued. Microsoft provides Conditional Access and token protection controls for Exchange Online and SharePoint Online, and it has begun deprecating and disabling legacy token behaviors. Detection can be difficult and may rely on limited or post-compromise identity and cloud telemetry rather than straightforward log signatures.

4. Known Detection Gaps You Must Account For

Account for these gaps in compensating controls:

• Token theft and session hijacking leave no failed logins, no brute-force indicators, and no authentication spikes.
• AD-to-Entra ID token techniques can produce no logs when tokens are issued.
• East-west SMB C2 is a blind spot in traditional network monitoring focused on north-south traffic.
• Cloud runtime-only techniques (T1610, T1496, serverless reverse shells) can only be seen at runtime; configuration scans miss them.

Knowing where your detection breaks is as valuable as knowing where it works.

Prioritize Alerts by Crown Jewel Proximity

Detection logic for RDP lateral movement (T1021.001, Event ID 4624 with LogonType 10) is identical regardless of source and destination, yet the operational significance shifts entirely with the route.

The BRICKSTORM analysis (AR25-338A) reconstructed a complete lateral movement chain: web server to domain controller via RDP, followed by AD database copy, followed by VMware vCenter access using stolen MSP credentials. Detection at any hop between the web server and domain controller would have prevented access to vCenter. Detection anchored to the trajectory toward critical assets catches what technique-level detection misses.

NIST's High Value Asset methodology recommends classifying assets by Confidentiality and Integrity impact, including transversal technology like identity providers and hypervisors; network management systems belong in the same class. Authorization sprawl was named among the top five new attack techniques at RSAC 2025 because overextended privileges create hidden attack paths that adversaries exploit without raising alarms.

Integrate asset criticality into your detection platform so that the same technique generates different alert severity based on proximity to crown jewels. An RDP connection from a web server to a domain controller from an unexpected source is a much higher priority than workstation-to-workstation RDP.

Lessons From Real Incidents: Where Detection Succeeds and Fails

Forensic case studies show where detection had a chance and the organization missed it.

The Lunar Spider intrusion persisted for nearly two months. On day three, the attacker attempted WMIC remote execution targeting a domain controller and failed. On day four, PsExec initially failed because the threat actor omitted the accepteula flag. Failed lateral movement attempts followed by immediate retry with corrected syntax are a behavioral indicator of hands-on-keyboard adversary activity, and this case is a missed detection opportunity.

In the BlueSky ransomware case, the threat actors deployed ransomware network-wide within an hour of gaining access. The RansomHub case showed the attackers harvesting credentials and deploying ransomware network-wide over SMB using remote services. A time-to-ransom measured in minutes leaves little window for manual correlation. Investigation and response workflows must be pre-built with automated response actions before analyst review.

Across these cases, discovery activity often preceded lateral movement. Network scanning, AD enumeration, and credential store enumeration give defenders earlier warning than waiting for an explicit lateral movement event.

Decision Criteria for Your Lateral Movement Detection Program

Where you invest first depends on the shape of your environment and how your current operation handles correlation. The conditions below map common situations to the detection priority that addresses them.

1. If your environment is majority cloud with identity in Okta or Entra ID, then your primary detection investment should prioritize identity provider telemetry and cross-platform session correlation over network-level east-west monitoring.
2. If you have hybrid infrastructure with Entra Connect Sync, then federated domain additions, Sync account privilege modifications, and AD-to-Entra ID pivot techniques should be Tier 1 detection priorities. Hybrid identity attacks have shown that persistence and impersonation at the federation layer can enable continued access beyond simple password-based defenses.
3. If your detection rules are technique-focused without asset context, then you are likely drowning in low-value alerts while missing high-value ones. The same Event ID 4624 LogonType 10 means different things depending on whether the destination is a developer workstation or a domain controller.
4. If your investigation workflow requires manual correlation across SIEM, EDR, identity provider logs, and cloud audit data, then your response time is likely measured in hours. For attack timelines measured in minutes, the context assembly step must be automated.
5. If your security service escalates lateral movement indicators as individual tickets, then each escalation forces your team to reconstruct context that should have been assembled before the ticket was created. That operating model inserts latency at the exact point where speed determines outcomes.

These five conditions are practical diagnostics. The priority order follows the attack timeline: identity telemetry coverage first, then hybrid pivot detection, then asset-context enrichment of existing rules, then investigation automation to close the gap between detection and response.

Correlation Is the Unit of Detection That Catches Lateral Movement

Lateral movement evades single-source detection because the signal lives in the relationships between events rather than in any one event. An Okta sign-in, a 4624 logon, an AssumeRole call, and a federated domain addition each clear their own threshold while the chain they form does not. The programs that catch this treat correlation across identity, endpoint, and cloud as the unit of detection, and they weight every signal by its proximity to crown jewels rather than by technique severity.

The harder constraint is time. When the window from initial access to domain controller is measured in minutes, the bottleneck is rarely whether a tool fired an alert. The bottleneck is whether anyone assembled the surrounding context fast enough to act on it. This gap determines outcomes, and it explains why detection engineering keeps converging on automated context assembly. Managed agentic security services such as Daylight are built around the same premise: investigate alerts against telemetry, organizational, and historical context, correlate signals across domains, and reach a verdict fast enough to act while the attacker is still moving.

Frequently Asked Questions About Lateral Movement Detection

How Do I Detect Lateral Movement That Uses Only Valid Credentials and Native Tools?

You cannot rely on signature-based detection. The detection surface shifts to behavioral correlation: per-credential behavioral baselines, where each account has an established pattern of normal access, are the foundation. Without baselines, living-off-the-land activity is indistinguishable from routine, as CISA documented in the Volt Typhoon advisory.

Which Audit Policies Must Be Enabled to Detect Common Lateral Movement Techniques?

Several critical event sources are not enabled by default. The detection logic in the Identity and Authentication Telemetry section above depends on explicit GPO enablement: Audit Kerberos authentication and service ticket auditing for Event IDs 4768/4769, Process Creation auditing with command-line arguments for Event ID 4688, service installation auditing for Event ID 4697, and Sysmon Events 17/18 for named pipe activity. Missing any of these creates blind spots for pass-the-ticket, Kerberoasting ticket-request activity, PsExec, and Cobalt Strike service installs.

What Is the Most Reliable Early Warning Signal That Lateral Movement Is Underway?

Discovery activity. An attacker who lands on a host rarely knows the terrain, so the first hands-on actions are usually reconnaissance: probing what is reachable, which accounts hold privilege, and where the valuable systems sit. That activity shows up before the first hop, which makes it the signal that buys the most response time.

How Should Detection Differ for Cloud-Only Lateral Movement Versus Hybrid Pivots?

In cloud-only environments, detection depends on API audit logs for role assumption, token exchange, and cross-service pivots. CloudTrail and Entra ID sign-in logs are primary sources, and SaaS platform audit trails fill the same role. A Lambda layer–based chain using AssumeRole, UpdateFunctionConfiguration, and AddLayerVersionPermission from an external AWS account is primarily a control-plane sequence and may produce little or no traditional network-layer telemetry, depending on the environment. Detection then rests on correlating CloudTrail events by session token. Hybrid pivots shift the priority to the federation layer between on-premises AD and cloud identity, where Entra Connect Sync compromise and federated domain backdoors let attackers cross from one trust domain into the other.

What Compensating Controls Should I Deploy Where Detection Gaps Exist?

For token theft, reduce token lifetimes and enforce continuous access evaluation policies that revoke sessions when device or user risk changes. Certain AD-to-Entra ID lateral movement techniques may have incomplete visibility in standard audit trails; privileged access workstations and network segmentation limit the blast radius. East-west SMB C2 is invisible to monitoring focused on north-south traffic; internal network segmentation and SMB signing enforcement reduce the viability of these channels. For cloud runtime-only techniques that configuration scans may miss, such as some reverse-shell activity, runtime monitoring on cloud workloads is an important control for detection.

What Architectural Model Best Limits Lateral Movement Before It Reaches Critical Assets?

A zero-trust architecture evaluates access behavior continuously rather than treating internal movement as implicitly trusted. Combined with asset criticality mapping and segmentation, it shifts detection toward the access paths that lead to high-value systems instead of only chasing noisy technique signatures.

How Should I Decide Which Assets Count as Crown Jewels for Lateral Movement Detection?

Use a high-value asset approach that includes sensitive data stores and transversal infrastructure such as identity providers and hypervisors; management systems should be included as well. Those platforms often become the pivot points that let attackers reach everything else.