HD Doctor Logo

Detect Lateral Movement Before Encryption

By the HD Doctor Technical Team

Direct answer

Between initial breach and ransomware encryption, the attacker spends on average 7-30 days in the network in lateral movement. That is the window where detection and containment prevent disaster. 8 behavioral signs identify the attack in progress before the end point.

What lateral movement is

Lateral movement is the set of techniques the attacker uses to move from the initially compromised host (usually a workstation via phishing) to reach Active Directory, critical servers, and backups. Common tools: Mimikatz (credential extraction), PsExec (remote execution), Cobalt Strike Beacon (C2), BloodHound (AD mapping), Rubeus (kerberoasting), AnyDesk/Atera (persistence). Each technique leaves detectable traces if proper logging exists.

8 signs indicating lateral movement in progress

  1. 1.
    User logins to servers they don't normally access. Admin account that uses AD only to authenticate Outlook suddenly logging into SQL or ESXi servers. Most common anomaly. Sentinel/Splunk with baseline detects.
  2. 2.
    Mimikatz / SharpHound execution on endpoint. Modern EDR detects. CrowdStrike Falcon, SentinelOne, Defender for Endpoint generate critical alert.
  3. 3.
    Unusual lateral SMB traffic. Workstations don't normally talk SMB between themselves. Port 445 traffic between workstations = red sign. Internal firewall or network EDR captures.
  4. 4.
    Creation of new admin accounts. Account created outside hours, with elevated privilege, without change ticket = invasion in progress. AD audit via Sentinel or native logs.
  5. 5.
    Scheduled tasks on servers. schtasks /create executed remotely. Attackers create tasks for persistence. Sysinternals Sysmon + correlation detects.
  6. 6.
    Cobalt Strike Beacon C2 patterns. Communication to unusual domains at regular intervals (typical 30-90s jitter). Network EDR with updated IoCs detects.
  7. 7.
    vCenter / ESXi access from unusual IP. ESXi-Linux attackers (BlackCat, LockBit, Akira) need to log into vCenter. vCenter logs show source IP β€” alert any IP outside management.
  8. 8.
    Backup access attempts. Veeam B&R, Commvault, S3 repository β€” anomalous access at odd hours or with wrong credentials. Attacker mapping backup BEFORE encrypting.

FAQ

How long from breach to encryption?

Average dwell time in 2024: 11 days (Mandiant report). More sophisticated variants (LockBit, BlackCat): 20-45 days. More opportunistic (Akira): 5-10 days. Detection and containment time is the metric that matters.

Does EDR detect all of this?

Modern EDR (CrowdStrike, SentinelOne, Defender Plan 2) detects most. Without EDR, depends on SIEM + manual correlation. Companies without EDR typically discover attack only at encryption.

Can I correlate logs without expensive SIEM?

Yes. Wazuh (open source) does basic SIEM. Microsoft Sentinel: ~US$2-4/GB/month ingested, viable for SMB. Splunk and QRadar are more expensive. Without log aggregation, detection is reactive.

What to do upon detecting lateral movement?

1) DON'T alert attacker (maintain apparent routine). 2) Snapshot critical hosts. 3) Engage professional emergency response. 4) In parallel, isolate most critical network segments. 5) Reset KRBTGT and admin accounts in next hours. 6) Aggressive hardening. Typical containment window: 24-72h.

How much to build decent detection?

SMB: EDR (~US$10-20/host/month) + Wazuh or Sentinel (~US$200-600/month). Mid-size: add outsourced 24Γ—7 SOC (~US$3-10K/month). Cost is a fraction of full-encryption attack impact.

Suspecting compromise in progress?

IoC analysis + log correlation within 6h. Chain of custody if compromise indicated.

Next reads