Ask Downloads
Domain 2 β€” Module 7 of 10 70%
19 of 28 overall
Domain 2: Respond to Security Incidents Free ⏱ ~12 min read

Complex Attacks & Lateral Movement

Real-world attacks do not stop at one system. Learn how to investigate multi-stage, multi-domain attacks with lateral movement β€” the hardest incidents a SOC faces.

What makes an attack β€œcomplex”?

Simple explanation

A simple attack is a burglar breaking a window and grabbing a TV. A complex attack is a burglar who picks the front lock, steals a key card from the reception desk, uses it to access the server room, copies the backup tapes, plants a backdoor for next time, and leaves through a different exit.

Complex attacks have multiple stages, cross multiple systems and domains, and involve lateral movement β€” the attacker moving from one compromised machine to another until they reach their target.

Investigating these attacks requires tracing the full chain: How did they get in? Where did they go? What did they take? Are they still here?

The attack chain

Most complex attacks follow a predictable pattern:

StageWhat HappensWhere to Look
1. Initial accessPhishing email, exploited vulnerability, stolen credentialsDefender for Office 365, Entra ID sign-in logs
2. ExecutionMalware runs, script executes, tool downloadsDefender for Endpoint (DeviceProcessEvents)
3. PersistenceScheduled task, registry key, new service createdDefender for Endpoint (DeviceRegistryEvents)
4. Privilege escalationLocal admin exploit, token theft, KerberoastingDefender for Identity, Defender for Endpoint
5. Lateral movementPsExec, RDP, WMI, pass-the-hashDefender for Identity, DeviceLogonEvents
6. CollectionFiles accessed, databases queried, emails readPurview Activity Explorer, Defender for Cloud
7. ExfiltrationData uploaded, DNS tunnelling, email forwardingDefender for Cloud Apps, network logs
8. ImpactRansomware deployed, data destroyed, systems disruptedDefender for Endpoint, Sentinel alerts

Investigation approach

Step 1: Establish the timeline

Start with the first alert and work forward. When did the attack begin? What was the initial access vector?

Use the unified incident timeline in Defender XDR to see all alerts chronologically across all products.

Step 2: Map the blast radius

Identify every compromised entity:

  • Users β€” which accounts were compromised or used by the attacker?
  • Devices β€” which endpoints were touched?
  • Applications β€” which apps or services were accessed?
  • Data β€” what sensitive data was accessed or exfiltrated?

The Sentinel investigation graph is the fastest tool for this β€” it visually maps entity relationships.

Step 3: Trace lateral movement

Lateral movement is the hardest to trace. Look for:

IndicatorWhere to Find It
RDP connections between internal hostsDeviceLogonEvents (LogonType = RemoteInteractive)
PsExec usageDeviceProcessEvents (FileName = β€œpsexec.exe” or β€œpsexesvc.exe”)
WMI remote executionDeviceProcessEvents (InitiatingProcessFileName = β€œwmiprvse.exe”)
Pass-the-hashDefender for Identity alerts (NTLM authentication anomalies)
Service creation on remote hostsDeviceRegistryEvents, DeviceEvents
Unusual admin logonsEntra ID sign-in logs, DeviceLogonEvents

Step 4: Contain simultaneously

Do not contain one device at a time. In a multi-stage attack, containing the first device alerts the attacker to move faster on the others.

Best practice: Identify all compromised devices, then contain them simultaneously β€” isolate all devices and disable all compromised accounts at the same time.

Scenario: Elena traces a ransomware attack chain

Elena at Atlas Bank is called in for a ransomware incident. Three servers are already encrypted.

Timeline reconstruction:

  • Day 0 (2 weeks ago): Phishing email to a finance analyst. Defender for Office 365 shows the email had a malicious macro attachment.
  • Day 1: The analyst opened the attachment. MDE shows winword.exe spawning powershell.exe (ASR rule was in Audit mode, not Block).
  • Days 2-10: The attacker established persistence (scheduled task), escalated privileges (Kerberoasting a service account), and moved laterally via PsExec to 5 servers.
  • Day 11: The attacker accessed the file server and exfiltrated 50 GB of data to a cloud storage service (MDCA detected the upload but the alert was missed).
  • Day 14: Ransomware deployed across 3 servers simultaneously.

Elena’s response:

  1. Isolate all 5 compromised servers + the analyst’s workstation simultaneously
  2. Disable the compromised service account and the analyst’s account
  3. Reset the service account password (25+ character random)
  4. Engage the backup team to begin restore from last known good backup
  5. Switch the β€œBlock Office from creating child processes” ASR rule from Audit to Block
  6. Create indicators for all IOCs found (C2 IPs, file hashes, domains)

Key learning: The ASR rule in Audit mode and the missed MDCA alert were the two preventable gaps.

Multi-domain investigation tools

ToolBest For
Unified incident timelineChronological view of all alerts across all products
Investigation graphVisual entity relationship mapping
Advanced HuntingCross-table KQL queries to find specific evidence
Entity pagesDeep-dive into individual users, devices, or IPs
Copilot for SecurityAI-assisted summarisation and guided investigation
Threat analyticsCheck if the attack matches a known campaign
Question

What are the four key questions to answer during a complex attack investigation?

Click or press Enter to reveal answer

Answer

1. How did they get in? (initial access vector) 2. Where did they go? (lateral movement and blast radius) 3. What did they take? (data access and exfiltration) 4. Are they still here? (persistence mechanisms and active sessions)

Click to flip back
Question

Why should you contain all compromised devices simultaneously during a multi-stage attack?

Click or press Enter to reveal answer

Answer

Containing devices one at a time alerts the attacker, who may accelerate their attack on the remaining compromised systems. Simultaneous containment (isolating all devices and disabling all accounts at once) prevents the attacker from pivoting to unconstrained systems.

Click to flip back
Question

What are three common indicators of lateral movement?

Click or press Enter to reveal answer

Answer

1. PsExec usage (psexec.exe or psexesvc.exe processes on remote hosts). 2. RDP connections between internal hosts (RemoteInteractive logon type). 3. Pass-the-hash (NTLM authentication anomalies detected by Defender for Identity). Also: WMI remote execution and unusual service creation on remote machines.

Click to flip back
Knowledge Check

During a ransomware investigation, Elena discovers that the attacker moved from a workstation to 5 servers over 10 days using PsExec. Three servers are already encrypted. What should she do with the 2 unencrypted servers?
Knowledge Check

James is investigating a phishing-to-ransomware attack chain. He needs to identify the exact sequence of events across email, endpoint, identity, and cloud signals. Which tool provides the best chronological cross-domain view?
Knowledge Check

Elena investigates a multi-stage attack at Atlas Bank. She discovers: (1) phishing email 2 weeks ago, (2) credential theft via Kerberoasting, (3) lateral movement to 5 servers, (4) data exfiltration of 50 GB, (5) ransomware deployed on 3 servers. The ASR rule 'Block Office from creating child processes' was in Audit mode. The MDCA upload alert was missed by Tier 1. What TWO things should Elena recommend as post-incident improvements?

Next up: Complex attacks often end at the endpoint. Let’s deep-dive into device investigation β€” timelines, live response, and collecting forensic evidence.