After compromising one host, attackers do not stop -- they spread. Using stolen credentials, file-sharing protocols, and remote execution tools, they pivot from a finance workstation to domain controllers, Exchange, and CI/CD pipelines.
Windows NTLM authentication accepts the NTLM hash itself as proof of identity. When an attacker dumps hashes from LSASS memory on FINANCE-WS-01 and finds a hash for a domain admin account, they can pass that hash directly to authenticate to other machines on the network -- without cracking it or knowing the original password.
After marcus.chen's credentials were stolen via AiTM, the attacker authenticated to FINANCE-WS-01 via VPN. From there, they used PtH with a domain admin hash dumped from LSASS to move laterally to RESEARCH-STATION-01 at 192.168.3.45.
Event ID 4624 (Logon Type 3 = network logon) with NtLmSsp as the authentication package, originating from an unexpected source host. Lateral movement looks like a user logging in from one machine to another without a reason. SIEM rules that baseline normal logon sources flag anomalies immediately.
Every Windows machine exposes administrative shares (C$, ADMIN$, IPC$) accessible to administrators. With valid credentials or a hash, an attacker can map these shares to copy tools and files to the target without needing a separate exploit -- it looks like normal file transfers.
The attacker accessed ADMIN$ on FIC-DC-01 using stolen domain admin credentials. They used this access to drop tools and stage additional payloads on the domain controller before moving to Exchange.
Event ID 5140 (network share accessed). Accessing C$ or ADMIN$ from a workstation (as opposed to a server) is almost always anomalous. SIEM detection: source workstation accessing admin shares on a domain controller with no corresponding helpdesk ticket.
PsExec uses SMB to copy a service binary to the target, creates a temporary Windows service to execute it, runs the command, and removes the service. The result is full remote code execution -- as a system service. Attackers frequently use the same approach with their own binaries or use built-in tools like SC.exe to avoid the PsExec signature.
From FIC-DC-01, the attacker used PsExec-style execution to run a fileless payload on FIC-EXCH-01 (Exchange server). The EDR on RESEARCH-STATION-01 detected a similar execution chain: chrome.exe spawning cmd.exe spawning encoded PowerShell.
Event ID 7045 (service installed) followed immediately by Event ID 7036 (service started/stopped). EDR behavioral detection: process spawning unexpected child processes, especially encoded PowerShell from a browser process. This is one of the most reliable lateral movement detection signals.
Any authenticated domain user can request a Kerberos Service Ticket (TGS) for any service account that has an SPN registered. Attackers request tickets for high-privilege service accounts, then take those tickets offline and crack them at GPU speed -- no lockouts, no failed authentication events on the target, no network noise during the crack.
From the Exchange server (FIC-EXCH-01), the attacker ran Kerberoasting against service accounts in the Ficsit domain, targeting the SQL service account (which had SPN registered) and the backup service account. Both had weak passwords and cracked within hours.
Event ID 4769 with encryption type 0x17 (RC4) -- service ticket requests using RC4 instead of AES are a strong Kerberoasting signal since modern environments should use AES. A single host requesting many TGS tickets in rapid succession is another reliable indicator. Defense: use gMSA (Group Managed Service Accounts) so service account passwords are 240-character random strings that cannot be cracked.
| Event ID | What it means | Why it matters |
|---|---|---|
| 4624 (Type 3) | Network logon to a remote host | Attacker authenticating to remote systems via PtH or valid credentials |
| 4672 | Special privileges assigned at logon | Admin-level access granted -- look for this on non-admin workstations |
| 5140 | Network share object accessed | Accessing C$ or ADMIN$ from unexpected sources |
| 7045 | New service installed | PsExec-style execution installs a temporary service |
| 4769 + RC4 | Kerberos TGS requested with RC4 encryption | Strong Kerberoasting indicator -- filter on encryption type 0x17 |
| 1 (Sysmon) | Process creation | Unusual parent-child chains: browser spawning cmd, cmd spawning encoded PowerShell |
| Where to look | What you will find |
|---|---|
| IRON CHIMNEY scenario | Full lateral movement timeline with each pivot mapped to MITRE ATT&CK |
| SIEM / INV-2024-0087 | Investigation showing the correlated Event IDs that triggered the alert |
| EDR / RESEARCH-STATION-01 | Detection DT-2024-0041: chrome.exe spawning encoded PowerShell C2 beacon |
| IR Lab | Walk through isolating RESEARCH-STATION-01 and investigating the lateral movement chain |