Detecting lateral movement with Threat Foundry.

Lateral movement is where many intrusions become expensive. Initial access may start on one workstation, one identity, one cloud token, or one exposed service, but the incident becomes a business problem when the adversary reaches privileged systems, backup infrastructure, identity providers, file shares, management planes, or production workloads. Detecting lateral movement means watching how identities, hosts, remote execution paths, administrative protocols, and trust relationships behave under pressure.

Threat Foundry is well suited to this problem because lateral movement is rarely one event. It is a chain: discovery, credential access, privilege use, remote authentication, remote execution, tool staging, persistence, and often cleanup. The platform's CTI intake, ATT&CK mapping, Attack Path Builder, saved-hunt evidence, Entity Analyzer, Sigma review, and reporting features help teams turn that chain into a repeatable hunting workflow.

Think in paths, not isolated alerts

A failed login from one workstation to another may be normal. A remote service creation event may be normal. PowerShell remoting may be normal. SMB admin share access may be normal. The hunting question is whether the path is normal: which account authenticated, from which host, to which host, using which protocol, after what discovery behavior, and before what execution or data access?

Attack Path Builder gives analysts a useful way to model this. A hunt might start with Account Discovery, Remote System Discovery, Network Share Discovery, Credential Dumping, Remote Services, Windows Management Instrumentation, SMB/Windows Admin Shares, Remote Services: RDP, or Lateral Tool Transfer. The value is not only the ATT&CK labels. The value is the ordered hypothesis: an adversary who compromises a user workstation may enumerate domain resources, access credential material, authenticate to peer systems, create a service, run a remote command, and stage tools on a server.

Telemetry sources for lateral movement

Strong lateral movement detection pulls from identity, endpoint, network, and asset context. Useful Windows telemetry includes logon events, explicit credential use, Kerberos service ticket activity, NTLM activity, account lockouts, group membership changes, process creation, service installation, scheduled task creation, PowerShell remoting, WMI activity, remote registry, SMB file access, RDP activity, and EDR process lineage. Network telemetry can add east-west flow context. Asset inventory helps distinguish a domain controller, workstation, server, jump host, backup server, and privileged admin workstation.

In Threat Foundry, that context becomes more than a checklist. Asset Inventory and Asset Classification help decide whether movement touched a high-value system. Field normalization helps map local SIEM fields into reusable hunt logic. Entity Analyzer groups accounts, hosts, processes, commands, and related observables from returned rows so the analyst can see whether one identity is touching many hosts, one host is touching many peers, or one administrative tool is appearing where it should not.

Use the first-seen admin access playbook

Threat Foundry now includes a built-in Hunt Playbook for this exact operating model: First-Seen Admin Access And Lateral Movement Baseline. The playbook guides analysts through validating Asset Inventory and High Risk Accounts, selecting ATT&CK pivots such as Valid Accounts, Remote Services, WMI, Scheduled Tasks, and Service Execution, then reviewing saved-hunt output in Lateral Movement Analyzer and Entity Analyzer.

The purpose is not to declare every new admin login malicious. The purpose is to preserve a baseline of relationships that matter: which privileged account touched which asset, from which source, by which protocol or execution method, and whether the destination is a critical system. A first-seen admin login to a domain controller, backup server, identity system, or production management host deserves different treatment than a routine admin login to a lab workstation.

Threat Foundry now supports analyst-reviewed behavior baselining for this workflow. As saved hunts are enriched with related telemetry, the platform can surface first-seen account-to-asset paths, host-to-host movement, privileged account access, critical asset access, remote execution indicators, dual-use tool activity, and admin share activity. Analysts can classify those observations as expected administration, low-value noise, or candidates for detection engineering, which helps the program get smarter without turning every new path into an alert.

High-signal hunt patterns

Start with account-to-host anomalies. Look for one user authenticating to many workstations or servers in a short period, especially where that user has no normal administrative role. Look for first-seen admin logons to sensitive assets. Look for service ticket requests or remote logons from workstations that do not usually administer the target. Look for disabled, stale, or service accounts used interactively.

Then add execution context. Look for remote service creation followed by a new process. Look for WMI process creation from a peer workstation. Look for PowerShell remoting from non-admin devices. Look for scheduled tasks created remotely. Look for PsExec-like service names, admin share writes followed by execution, or binaries staged in admin shares, temp directories, or program data paths. Look for RDP from unusual source networks or at unusual times, especially when followed by privilege changes or data access.

Finally, connect credential behavior. Lateral movement often follows credential theft or token abuse. Watch for LSASS access, suspicious credential dumping indicators, unusual use of explicit credentials, rapid authentication fan-out, unusual Kerberos encryption or service ticket patterns, and privileged accounts appearing on endpoints where they do not normally log on. Threat Foundry can preserve these as linked hunt steps instead of forcing each clue into a separate analyst note.

Cloud and hybrid lateral movement

Lateral movement is not only Windows-to-Windows anymore. In hybrid environments, adversaries move between endpoint identities, Entra ID or other identity providers, SaaS admin roles, cloud IAM, CI/CD systems, and management planes. A compromised endpoint may lead to browser session theft, cloud CLI usage, OAuth abuse, or service principal misuse. A compromised cloud identity may lead back to remote management of servers or deployment pipelines.

Threat Foundry's Cloud ATT&CK-oriented workflows let teams keep these paths in the same operating model. The hunt can include identity control-plane events, cloud audit logs, suspicious role assumptions, new access keys, anomalous admin consent, impossible or unusual travel, endpoint process evidence, and SIEM queries tied back to the original CTI or incident hypothesis.

From hunt to Sigma and reporting

Not every lateral movement hunt should become an alert. Some patterns are too environment-specific and should remain recurring hunts or executive risk reporting. Others are stable enough for Sigma: remote service creation from non-admin workstations, WMI execution from unexpected subnets, admin share writes followed by process execution, first-seen privileged logon to critical assets, suspicious explicit credential use, or remote PowerShell from unmanaged hosts.

Threat Foundry helps with that decision by separating saved hunt evidence from reviewed Sigma candidates and behavior-baseline review. Analysts can run the hunt, inspect the returned rows, mark known administrative behavior, suppress low-value noise, promote suspicious patterns for detection engineering, and then decide whether the detection belongs in production. Reporting then shows not just that a hunt ran, but whether the organization improved coverage, found a telemetry gap, or validated a new detection.

When lateral movement evidence depends on legitimate tools such as WMI, scheduled tasks, PowerShell remoting, service creation, or signed proxy binaries, the Living-Off-The-Land Detection Engineering playbook provides the promotion checklist. It forces the same decision discipline: alert with Sigma when the behavior is stable, keep it as a scheduled hunt when it is environment-specific, use YARA only when file/content evidence exists, and document known administration before marking the detection ready.

A practical lateral movement workflow

Use Auto Triage to identify CTI or internal incident themes tied to remote execution, credential theft, ransomware staging, or domain compromise. Promote relevant items into Hunt Builder. Build an attack path that includes discovery, credential use, remote authentication, and execution. Confirm that identity, endpoint, and asset data are available. Generate and review the hunt logic. Run the hunt, preserve evidence, and inspect entities. Pivot to host investigation where the evidence points to specific systems. Convert repeatable patterns into Sigma after review. Use reporting to show coverage by ATT&CK technique and by critical asset class.

Lateral movement detection improves when the SOC stops asking, "Did one event look bad?" and starts asking, "Does this path belong in our environment?"

What good looks like

A mature program can explain which lateral movement techniques it covers, which critical assets have adequate telemetry, which privileged accounts are expected to touch which systems, which detections are production-ready, and which hunts remain manual because the environment is too variable. Threat Foundry gives that program a shared workspace: CTI context, attack paths, generated hunts, evidence, entities, Sigma candidates, host pivots, and reporting all point back to the same defensive question.