Investigating Lateral Movement in Microsoft Defender XDR.
One compromised account.
Three devices.
Fifteen minutes.
The attacker wasn't staying in one place.
Agent Foskett followed the trail.
Lesson overview
Learn how to investigate lateral movement by correlating Microsoft Defender XDR device logon, identity logon, network and process telemetry into one clear investigation timeline.
Why lateral movement matters
The lateral movement investigation workflow
Step 1 — Find accounts accessing multiple devices
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
DeviceLogonEvents
| where Timestamp > ago(24h)
| where ActionType == "LogonSuccess"
| summarize DevicesAccessed = dcount(DeviceName),
DeviceList = make_set(DeviceName),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by AccountName, AccountDomain, AccountUpn
| where DevicesAccessed >= 3
| order by DevicesAccessed desc
Step 2 — Review logon details for the suspicious account
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let SuspiciousAccount = "user@contoso.com";
DeviceLogonEvents
| where Timestamp > ago(24h)
| where AccountUpn =~ SuspiciousAccount
| project Timestamp,
DeviceName,
AccountUpn,
ActionType,
LogonType,
RemoteIP,
RemoteDeviceName,
InitiatingProcessFileName
| order by Timestamp asc
Step 3 — Compare identity logon evidence
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let SuspiciousAccount = "user@contoso.com";
IdentityLogonEvents
| where Timestamp > ago(24h)
| where AccountUpn =~ SuspiciousAccount
| project Timestamp,
AccountUpn,
ActionType,
LogonType,
Application,
DeviceName,
IPAddress,
FailureReason
| order by Timestamp asc
Step 4 — Look for remote administration protocols
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (3389, 445, 5985, 5986)
| project Timestamp,
DeviceName,
InitiatingProcessAccountUpn,
InitiatingProcessFileName,
RemoteIP,
RemotePort,
RemoteUrl,
ActionType
| order by Timestamp asc
Step 5 — Hunt for remote execution activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wmic.exe", "psexec.exe", "schtasks.exe")
or ProcessCommandLine has_any ("Invoke-Command", "Enter-PSSession", "\\", "ADMIN$", "-EncodedCommand")
| project Timestamp,
DeviceName,
AccountUpn,
FileName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp asc
Step 6 — Build the lateral movement timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
let InvestigationAccount = "user@contoso.com"; let Logons = DeviceLogonEvents | where Timestamp > ago(24h) | where AccountUpn =~ InvestigationAccount | project Timestamp, EventType = "Device logon", DeviceName, AccountUpn, Evidence = strcat(ActionType, " / ", LogonType), Detail = tostring(RemoteIP); let Network = DeviceNetworkEvents | where Timestamp > ago(24h) | where InitiatingProcessAccountUpn =~ InvestigationAccount | where RemotePort in (3389, 445, 5985, 5986) | project Timestamp, EventType = "Network connection", DeviceName, AccountUpn = InitiatingProcessAccountUpn, Evidence = tostring(RemotePort), Detail = tostring(RemoteIP); let Processes = DeviceProcessEvents | where Timestamp > ago(24h) | where AccountUpn =~ InvestigationAccount | project Timestamp, EventType = "Process execution", DeviceName, AccountUpn, Evidence = FileName, Detail = ProcessCommandLine; union Logons, Network, Processes | order by Timestamp asc
How to read the lateral movement timeline
Real-world investigation
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating Lateral Movement in Microsoft Defender XDR
Agent Foskett Academy Lesson 81 teaches defenders how to investigate lateral movement in Microsoft Defender XDR.
Defender XDR lateral movement investigation workflow
This lesson explains how DeviceLogonEvents, IdentityLogonEvents, DeviceNetworkEvents, DeviceProcessEvents, AccountUpn, LogonType, RemoteIP, RemotePort, RDP, SMB, WinRM and PowerShell activity help defenders reconstruct lateral movement across devices.
