Lateral movement does not announce itself. An attacker navigating your internal network with built-in tools looks almost identical to an administrator doing routine work.
That is the core challenge. The protocols involved in lateral movement, SMB, RDP, PSExec, and LLMNR, are not exotic or suspicious by themselves. They are standard parts of any corporate environment. Attackers know this and use it deliberately. They blend into normal traffic, move from device to device, and collect what they need before anyone notices something is wrong.
This article walks through how lateral movement actually appears in network traffic, which signals matter, and how to investigate them systematically. Each section is built around a real detection pattern you can follow in your own environment.
The investigation examples in this article are drawn from GREYCORTEX Mendel, an NDR solution that monitors network traffic passively without agents. The detection patterns and workflows apply to any environment where network-level visibility is available.
Four Protocols Attackers Use to Move Undetected
These are not tools attackers bring with them. They are present in every corporate network. That is precisely what makes them effective for lateral movement and what makes detection harder than it sounds.
Here is what each one looks like when it is being abused, and what to look for during an investigation.
SMB and Windows Admin Shares
Server Message Block (SMB) is the backbone of file sharing in Windows environments. Legitimate SMB traffic is everywhere, which is exactly why attackers use it.
The specific risk is access to Windows administrative shares, particularly ADMIN$. This share gives direct access to the Windows directory of a remote machine. When an attacker reaches it, they can copy files, execute scripts, and move tools across the network without touching the perimeter.
What you see in Mendel
When ADMIN$ access occurs, Mendel flags it as an event. From there, drill down into the application layer of the flow. You are looking for three things:
- the SMB protocol version in use,
- the specific share path being accessed,
- and any file operations attached to the session.
A legitimate admin connecting to ADMIN$ looks different from an attacker. The attacker tends to follow access with execution, and that shows up in the flow data. In one case from our environment, drilling down revealed a python.exe file operation attached to an ADMIN$ session, which is not something a routine admin task produces.
Investigation checklist
✅ Who initiated the connection: Compare the source IP against known admin accounts and scheduled change records.
✅ What the access triggered: Check whether the connection was followed by script execution or file copying.
PSExec
PSExec is a lightweight remote administration tool from the Microsoft Sysinternals suite. Administrators use it to run commands on remote machines without a full remote desktop session. Attackers use it for exactly the same reason.
What makes PSExec distinctive in network traffic is how it works under the hood. Every time PSExec runs, it creates a temporary service on the target machine called PSEXESVC over SMB port 445 on TCP. That service creation event is visible in the flow data and is one of the cleaner indicators of lateral movement you will find.
What you see in Mendel
Mendel surfaces the IPC$ connection first, followed by the service creation event. Drilling down into the flow shows you the command that was launched. Unlike encrypted protocols, PSExec activity at this layer gives you readable evidence of what was executed on the remote machine.
Investigation checklist
✅ Who ran it: Compare the source IP against known admin accounts. PSEXESVC outside business hours or on a machine with no remote admin history is a reason to investigate further.
✅ What was launched: Drill down into the flow and check the command executed via PSEXESVC. Anything outside routine admin tasks is a strong indicator of malicious intent.
RDP
Remote Desktop Protocol (RDP) is one of the most common tools in any IT environment. It is also one of the most abused. An attacker with valid credentials can open a full interactive session on any machine with RDP enabled, and from there, reach everything that machine can reach.
RDP traffic is encrypted. You cannot see what happened inside the session, but the metadata surrounding it reveals more than most analysts expect.
What you see in Mendel
Mendel surfaces the session metadata:
- source IP address
- destination IP address
- session duration
- country of origin
Duration matters more than most analysts expect. A short RDP session from inside the internal network may not look suspicious at first glance. The key question is what happened on the source device beforehand. Check the prior activity of the device the session originated from. If it was preceded by unusual communication or access to systems the device does not normally reach, the session fits into a broader pattern.
The key investigation step is what happens after the session ends. Use the peer graph to trace where the compromised device connected following the RDP session. That is where lateral movement becomes visible as a chain, not just a single event.
Investigation checklist
✅ Where did it come from: Check the prior activity of the source device and verify whether unusual communication preceded the session.
✅ What happened after: Trace the peer graph following the session. Unexpected internal connections from the compromised host are a strong indicator of lateral movement.
LLMNR Poisoning
Link-Local Multicast Name Resolution is a fallback protocol. When a Windows device cannot resolve a hostname through DNS, it sends a multicast request to the local network asking if anyone knows the address. Any device on the network can respond.
That is the problem. A malicious device can intercept that request, respond with its own IP address, and collect the credential hash the requesting device sends as part of the authentication handshake. The requesting device never knows it talked to the wrong machine.
What you see in Mendel
Mendel captures both sides of the exchange: the multicast request on UDP port 5355 and the unicast response back to the same port 5355. A legitimate LLMNR response comes from the device that actually owns the hostname. A poisoning attempt shows a unicast response coming from an unexpected IP address with no prior communication history with the requesting device.
Investigation checklist
✅ Who responded: Compare the IP address of the unicast responder against the expected hostname owner and verify whether prior communication history exists between them.
Detection Methods Working Together
Lateral movement rarely triggers just one alert. The challenge is understanding whether multiple alerts point to the same event.
GREYCORTEX Mendel runs multiple detection methods in parallel. Each method covers a blind spot the others have. Network behavior analysis establishes a baseline for every device, subnet, and the network as a whole, and flags deviations: a device connecting to peers it has never talked to, a sudden spike in data transfer, an unusual session duration. Intrusion detection matches traffic against known attack signatures, catching specific techniques regardless of whether the behavior looks anomalous. Log processing extends visibility to device and application logs, surfacing activity that never appears in network flows at all.
In a lateral movement investigation, running different detection methods simultaneously is what gives a security analyst the full picture. Each method adds a different perspective on the same event, and Mendel lets you move from a high-level alert down to the deepest metadata details without switching tools. Search, filter, and visualize any network data from a single interface. When Mendel surfaces an RDP session and network behavior analysis simultaneously flags that the same device is connecting to internal peers it has never reached before, you are looking at a chain.
From Alert to Evidence
Lateral movement is not a single event you catch or miss. It is a sequence that unfolds across protocols, devices, and time. The protocols covered in this article, SMB, PSExec, RDP, and LLMNR, are not exotic attack tools. They are part of every environment, which is precisely why investigating them requires more than a single alert. It requires network visibility deep enough to show you what happened before the alert fired and what the compromised host did next.
That evidence does not disappear after the incident is resolved. Long-term metadata retention means that what you capture today is available for retrospective analysis months later, whether for a follow-up investigation, a compliance audit, or a post-incident review.
Lateral movement leaves traces. The question is whether you have the visibility to read them.
The full investigation workflow is in the webinar. Watch the recording to see every detection pattern demonstrated live in GREYCORTEX Mendel.
Categories
- Company News (37)
- Product News (27)
- IT/OT Security (41)
- Webinars (6)