Active Directory Lateral Movement Detection

Detect and analyze lateral movement techniques within an Active Directory environment using Wazuh SIEM and Windows Event Logs.

Lab Environment

Windows Server 2022 (Domain Controller), Windows 10 Client, Kali Linux (Attacker), Wazuh SIEM (Manager + Agent).

Attack Scenario

Simulated Pass-the-Hash and PsExec-based lateral movement from a compromised workstation to the Domain Controller. Attacker used Mimikatz to extract NTLM hashes and moved laterally via SMB.

Detection Method

Monitored Windows Security Event IDs 4624 (Logon Type 3 - Network), 4648 (Explicit Credential Logon), and Sysmon Event ID 1 (Process Creation) for suspicious PsExec execution patterns. Created custom Wazuh rules to trigger on unusual lateral authentication events.