How to Detect Lateral Movement in Active Directory

Windows audit logging, when properly configured, produces reliable signals for the most common credential-based lateral movement techniques. The problem is that default audit policy settings in most organizations log too little or log the wrong events. Start by confirming these audit subcategories are enabled via Group Policy: Audit Logon/Logoff, Audit Account Logon, Audit Kerberos Service Ticket Operations, and Audit Kerberos Authentication Service.

The seven Event IDs that form the foundation of lateral movement detection coverage are: 4624 (successful logon — the baseline; filter on Logon Type 3 for network logons and Type 10 for remote interactive); 4625 (failed logon — source of brute force and credential spray signals); 4648 (logon using explicit credentials — surfaces Pass-the-Hash and RunAs abuse); 4768 (Kerberos TGT requested — baseline for Kerberoasting and AS-REP roasting detection); 4769 (Kerberos service ticket requested — the primary Kerberoasting detection event, filter on encryption type 0x17 for RC4 requests); 4771 (Kerberos pre-authentication failed — failed TGT requests indicating credential spray against Kerberos); and 4776 (NTLM authentication — surfaces NTLM relay and hash-based authentication outside expected paths).

None of these events are useful in isolation. The detection value comes from correlating sequences across time windows and filtering against baseline behavior.

Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) are the two most common credential reuse techniques in enterprise intrusions. Both bypass password requirements by replaying credential material harvested from memory, making them invisible to password-based controls.

Pass-the-Hash detection relies on identifying NTLM authentication events that originate from unexpected source machines. The primary signal is Event ID 4624 with Logon Type 3 (network) or Type 9 (NewCredentials), where the source account and source machine combination has no historical baseline. Supplement with Event ID 4648, which fires when explicit credentials are passed programmatically. In environments that have suppressed NTLM in favor of Kerberos, any 4776 event from a workstation is immediately suspicious.

Pass-the-Ticket detection looks for Kerberos ticket use from machines where the ticket was not originally issued. Event ID 4769 (service ticket request) combined with anomalous source IP relative to the account's home subnet is the primary signal. Golden Ticket attacks produce 4769 events with unusually long ticket lifetimes and missing 4768 (TGT request) events that should precede them — a correlation detectable in SIEM platforms with multi-event rule support.

For both techniques, endpoint telemetry from EDR platforms provides the strongest signal: process access to lsass.exe (Event ID 10 in Sysmon), LSASS memory reads from unexpected processes, and registry access to SAM hive locations are all behavioral indicators that precede credential reuse.

Sigma rules are the most portable format for AD lateral movement detection because they compile to SPL (Splunk), KQL (Sentinel/Elastic), and other SIEM query languages from a single definition. The following patterns cover the highest-value detection opportunities.

For Kerberoasting detection, the rule targets Event ID 4769 with TicketEncryptionType 0x17 (RC4) and a non-machine account name, with a threshold of more than five events from a single source within 10 minutes. For Pass-the-Hash, the rule correlates Event ID 4624 with LogonType 3 and AuthenticationPackageName NTLM, filtered to exclude known service accounts and machine accounts, alerting on source machines that have not previously authenticated to the target.

For lateral movement via PsExec and similar tools, Sysmon Event ID 13 (registry value set) targeting the HKLM\SYSTEM\CurrentControlSet\Services path combined with Event ID 7045 (new service installed) from the Security log, where the service binary path contains admin shares (C$, ADMIN$), provides high-fidelity detection with low false positive rates in environments where PsExec is not legitimately used.

SigmaHQ maintains a production-quality rule set at github.com/SigmaHQ/sigma. The rules/windows/builtin/security/ and rules/windows/builtin/system/ directories contain the most relevant AD lateral movement detections. Clone the repository and convert rules using sigma-cli with the backend matching your SIEM rather than writing detection logic from scratch.

The reason most organizations have poor lateral movement detection coverage is not a lack of rules — it is alert fatigue from untuned rules that fire hundreds of times per day. A rule that cannot be acted upon within 15 minutes of firing has no security value.

The most effective tuning approach is building allowlists from historical baseline data before enabling alerting. For Event ID 4769 RC4 Kerberoasting rules, run the detection query against 30 days of historical logs. Every account and service that legitimately generates RC4 tickets (legacy applications, service accounts with pre-Windows 2008 SPNs) should be added to the allowlist before the rule goes live. This converts a rule that fires 500 times per day into one that fires 3 times per day on genuinely anomalous activity.

For Pass-the-Hash detection, baseline source-to-destination authentication pairs using 14 days of authentication logs. Any pair with more than 5 prior occurrences is normal behavior. Alert only on first-seen pairs involving privileged accounts or tier-0 infrastructure.

Use time-based suppression for service account activity that legitimately generates high volumes: backup agents, monitoring tools, and vulnerability scanners all produce NTLM and Kerberos events at high rates during scheduled windows. Suppress known sources during their scheduled operation windows and alert on out-of-window activity from the same sources.

Detection is reactive by definition. BloodHound Community Edition gives defenders the same attack path analysis capability that adversaries use to plan lateral movement — letting you identify and eliminate the highest-value paths before they are exploited.

BloodHound ingests Active Directory data via SharpHound (a .NET collector) and builds a graph of every permission relationship, group membership, and delegation that could be leveraged for privilege escalation or lateral movement. The Shortest Paths to Domain Admin query surfaces the attack path an adversary with any given foothold would use to reach domain administrator.

For defenders, the practical value of BloodHound is prioritized hardening: instead of trying to harden every misconfiguration, identify the 20 relationships that appear in the most attack paths and eliminate them. Common findings include nested group membership granting excessive access, constrained delegation misconfigurations, ACL-based paths through service accounts, and AdminSDHolder permission inheritance issues.

Run BloodHound on a quarterly basis or after major Active Directory changes. Treat any path that reaches Domain Admin in fewer than four hops as a critical remediation item. Establish a baseline graph and track path count reduction as a program metric.