BIPI
BIPI

Hunting Lateral Movement: Five Detection Rules Every SIEM Should Have

Cybersecurity

Lateral movement is the phase between 'they got in' and 'they own everything.' Most SOCs do not have detection rules tuned to it. The five we ship on every engagement, with the false-positive baseline.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 2, 2026 · 8 min read

#siem#detection#lateral-movement#active-directory

Most security teams have alerts for initial access. Phishing, brute force, exposed services. Most teams also have alerts for impact: data exfiltration, ransom-style file changes, credential dumps. The phase in between is where attackers spend most of their time, and it is also the phase most under-instrumented in the SIEMs we audit.

Lateral movement is what an attacker does between landing on the first host and reaching the systems they actually want. SMB sessions to neighboring servers, remote service installs to spawn a shell elsewhere, cross-tier authentications that should never happen. Every move leaves a Windows event ID or a network signature. The rules below are the five we deploy on every engagement.

Rule 1: Anomalous SMB session creation

Event 5140 (Windows) fires when a network share is accessed. Most environments have a stable baseline. A workstation user that never accessed C$ on a server suddenly doing so at 2 AM is suspicious. The detection: count distinct destination hosts per source per hour, alert when the count exceeds the user's 30-day baseline by 3 standard deviations.

Tuning note: domain admins and IT scripts blow this up. Suppress on tier-0 accounts and named automation principals. Real false-positive rate after tuning: under 5%.

Rule 2: Remote service installations

Event 7045 fires when a Windows service is installed. PsExec, the most common lateral-movement tool in our IR engagements, leaves a 7045 with a service name like PSEXESVC and a path under ADMIN$\PSEXESVC.exe. Even attacker variants that randomize the service name still install via SCM.

Detection: alert on every 7045 from a non-management host, with service path on a remote-admin share. Baseline volume: a few per week in a healthy environment. Spikes are real signal.

Rule 3: Cross-tier authentications

Tier-0 (domain controllers, ADFS, key servers) should only be accessed from tier-0 admin workstations. Tier-1 (server admin) similarly scoped. The rule: any logon from a tier-2 host to a tier-0 destination is a P1 alert. Period.

This requires asset tiering, which most teams skip because it sounds tedious. It is the highest-leverage prep work. Without tiering, this rule cannot be written. With tiering, the rule fires on a real attacker every time.

Rule 4: PsExec / Impacket signatures on the wire

Network detection complements endpoint. Impacket's secretsdump and similar tools have characteristic SMB pipe usage. Network IDS rules (Suricata, Zeek) for these are public and free. Deploy them at the network choke point or on the EDR's network-introspection layer.

Rule 5: Beacon-like outbound traffic

Once an attacker is in, they need a command-and-control channel. C2 traffic is regular: every N seconds, every N minutes, with low jitter. Detection: aggregate netflow per source-destination pair over an hour. Compute the inter-arrival time variance. Alert on anything where mean is between 10s and 600s and standard deviation is under 5% of mean.

Tuning note: legitimate beacons (heartbeats, telemetry) trip this. Build an allowlist of known beaconing endpoints. After two iterations, false-positive rate is under 10%.

What to do this quarter

  1. Pick three of these rules. Deploy in monitor-only mode for two weeks.
  2. Tune the noise. Each rule should reach under 15% false-positive rate before going to alert.
  3. Add the remaining two. Same monitor-then-alert cycle.
  4. Set up a quarterly review of detection coverage against the MITRE ATT&CK Lateral Movement column. You will find gaps. Close them one rule per quarter.

Closing

Lateral movement is the phase where every attacker burns the most time and leaves the most signals. The teams that catch breaches early are the ones who instrumented this phase deliberately. Five rules is the floor, not the ceiling. The discipline of tuning them quarterly is what separates a SIEM that detects from a SIEM that records.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.