SecuritySecrets
Back to portfolio

Threat Hunt: Detecting Lateral Movement Using Windows Event Logs

A structured threat hunt across a mid-size Windows environment to surface stealthy lateral movement using native event logs — no EDR required.

Threat HuntingWindows Event LogsMITRE ATT&CKSIEM
Reference link

Objective

Hunt for lateral movement activity (TA0008) across a Windows estate by correlating Event IDs 4624, 4648, 4672, and 5140 — without relying on EDR telemetry.

Hypothesis

If an attacker is moving laterally, we will see an unusual pattern of:

  • Type 3 (network) logons from workstation-to-workstation
  • Newly elevated accounts on secondary hosts
  • Admin share access (ADMIN$, C$) from non-IT machines

Approach

  1. Baselined typical logon behaviour over 30 days per business unit.
  2. Built a KQL query in Microsoft Sentinel joining SecurityEvent 4624 Type 3 with 5140 SharePath events.
  3. Filtered out known admin tooling (SCCM, vuln scanners, backup agents).
  4. Reviewed anomalies across a 48-hour window.

Findings

  • Identified one developer workstation authenticating to 14 unique hosts via network logon in under an hour — later attributed to a misconfigured automation script.
  • Surfaced a legitimate but undocumented admin tool that was generating false positives and added it to the baseline.
  • Documented 3 new detection gaps and handed them to engineering.

Tools Used

  • Microsoft Sentinel (KQL)
  • Sysmon (where available)
  • MITRE ATT&CK Navigator for mapping

Mapped Techniques

  • T1021.002 — SMB/Windows Admin Shares
  • T1078 — Valid Accounts
  • T1550 — Use Alternate Authentication Material

Outcome

Produced a reusable hunt playbook and three new detection rules, now scheduled weekly.