Skip to content
Go to file
Cannot retrieve contributors at this time
55 lines (36 sloc) 2.41 KB

Detecting Lateral Movement in Windows Event Logs


To detect authentication-based lateral movement in Windows envrionments

Data Required

Windows Security logs, specifically:

  • Successful Logon (ID 4624)
  • Failed Logon (ID 4625)
  • Kerberos Authentication (ID 4768)
  • Kerberos Service Ticket (ID 4776)
  • Assignment of Administrator Rights (ID 4672)
  • Unknown username or password (ID 529)
  • Account logon time restriction violation (ID 530)
  • Account currently disabled (ID 531)
  • User account has expired (ID 532)
  • User not allowed to logon to the computer (ID 533)
  • User has not been granted the requested logon type (ID 534)
  • The account's password has expired (ID 535)
  • The NetLogon component is not active (ID 536)
  • The logon attempt failed for other reasons (ID 537)
  • Account lockout (ID 539)

Collection Considerations

Not all of these events are enabled by default, so you may need to change your audit policy

Analysis Techniques

Stack counting, outlier detection, visualization


Make note of administrative attempts, visualize this activity and look for deviations from baseline in the number of attempts, the accounts involved in the attempts or the computers on which the attempts occur.

Look for instances where multiple users are logged onto an end-user workstation simultaneously or within a relatively short period of time, where the same user account is logged onto more than one host, or where a network login references a non-domain account on the target system.

Other Notes

"Administrative" accounts includes any user with special rights, not necessarily only the Local or Domain "Administrator" accounts.

More Info

You can’t perform that action at this time.