How to spot lateral movement without a SOC

PsExec is one of the most common lateral movement tools in real-world intrusions. According to the Cisco Talos 2025 Year in Review, RDP, PowerShell, and PsExec are the top three tools used by ransomware actors. On the target machine, look for Event ID 7045 (service installed) with a service name like PSEXESVC or a random string, and Event ID 5145 showing access to the IPC$ share with the svcctl named pipe. The combination of IPC$ access + new service = someone just ran something remotely on that machine.

When an attacker dumps credentials from memory (using tools like Mimikatz) and reuses the hash to authenticate, you'll see Event ID 4624 with Logon Type 9 (NewCredentials) on the source machine, and Logon Type 3 with NTLM authentication (not Kerberos) on the target. In a healthy domain, most authentication should be Kerberos. A burst of NTLM Type 3 logons between workstations is a red flag.

Attackers use WMI to run commands remotely because it's a built-in Windows feature that doesn't install anything on the target. Look for Event ID 4648 (explicit credential logon) where the target server name contains "RPCSS" or "HOST" on the source machine. On the target, you'll see Event ID 4624 Type 3 followed by wmiprvse.exe spawning unexpected child processes in the process creation logs.

RDP is legitimate, which makes malicious RDP harder to spot. The key indicators: Event ID 4624 Type 10 from workstation-to-workstation (not from a jump server or admin machine), RDP from the loopback address 127.0.0.1 (indicates SSH tunneling), and RDP sessions outside business hours. Also watch Event ID 1149 in the TerminalServices-RemoteConnectionManager log for the source IP of every RDP connection.