Lateral Movement

Authentication activity on an endpoint, whether using local or domain accounts, includes the source machine and account from which the authenticator came. With this information, InsightIDR can aggregate and present visualizations displaying exactly where users came from when logging into any particular asset on the network and which assets users authenticated to next from that asset.

Attackers move laterally when they jump from one endpoint to another to infiltrate a network without informing the Active Directory. This is a common attacker methodology, including pass-the-hash attacks. Lateral movement cannot be detected simply by reading Active Directory logs – it requires visibility into the endpoints.

View Lateral Movement

When you view an individual asset page, you may see a section for "Recent Authentication". This graph allows security administrators to retrace the steps of any lateral movement as the user hops from machine to machine across the environment.

See Local accounts for more information.

Lateral Movement Alerts

You can configure Lateral Movement alerts depending on your environment. To do so, go to Settings > Alert Settings and scroll to the various Lateral Movement options. Select if you want these actions to be an Alert or Notable Behavior.

By default, the following actions are set to Alert and create an Investigation:

  • LATERAL MOVEMENT - ADMINISTRATOR IMPERSONATION
  • A user has authenticated to an administrator account.
  • LATERAL MOVEMENT - DOMAIN CREDENTIALS
  • A domain account has attempted to access several new assets in a short period of time.
  • LATERAL MOVEMENT - LOCAL CREDENTIALS
  • A local account has attempted to access several assets in a short period of time.
  • LATERAL MOVEMENT - SERVICE ACCOUNT
  • A service account is authenticating from a new source asset.
  • LATERAL MOVEMENT - WATCHED USER IMPERSONATION
  • A user has authenticated to a watched user's account.