Complex Attacks & Lateral Movement
Real-world attacks do not stop at one system. Learn how to investigate multi-stage, multi-domain attacks with lateral movement — the hardest incidents a SOC faces.
What makes an attack “complex”?
A simple attack is a burglar breaking a window and grabbing a TV. A complex attack is a burglar who picks the front lock, steals a key card from the reception desk, uses it to access the server room, copies the backup tapes, plants a backdoor for next time, and leaves through a different exit.
Complex attacks have multiple stages, cross multiple systems and domains, and involve lateral movement — the attacker moving from one compromised machine to another until they reach their target.
Investigating these attacks requires tracing the full chain: How did they get in? Where did they go? What did they take? Are they still here?
The attack chain
Most complex attacks follow a predictable pattern:
| Stage | What Happens | Where to Look |
|---|---|---|
| 1. Initial access | Phishing email, exploited vulnerability, stolen credentials | Defender for Office 365, Entra ID sign-in logs |
| 2. Execution | Malware runs, script executes, tool downloads | Defender for Endpoint (DeviceProcessEvents) |
| 3. Persistence | Scheduled task, registry key, new service created | Defender for Endpoint (DeviceRegistryEvents) |
| 4. Privilege escalation | Local admin exploit, token theft, Kerberoasting | Defender for Identity, Defender for Endpoint |
| 5. Lateral movement | PsExec, RDP, WMI, pass-the-hash | Defender for Identity, DeviceLogonEvents |
| 6. Collection | Files accessed, databases queried, emails read | Purview Activity Explorer, Defender for Cloud |
| 7. Exfiltration | Data uploaded, DNS tunnelling, email forwarding | Defender for Cloud Apps, network logs |
| 8. Impact | Ransomware deployed, data destroyed, systems disrupted | Defender for Endpoint, Sentinel alerts |
Investigation approach
Step 1: Establish the timeline
Start with the first alert and work forward. When did the attack begin? What was the initial access vector?
Use the unified incident timeline in Defender XDR to see all alerts chronologically across all products.
Step 2: Map the blast radius
Identify every compromised entity:
- Users — which accounts were compromised or used by the attacker?
- Devices — which endpoints were touched?
- Applications — which apps or services were accessed?
- Data — what sensitive data was accessed or exfiltrated?
The Sentinel investigation graph is the fastest tool for this — it visually maps entity relationships.
Step 3: Trace lateral movement
Lateral movement is the hardest to trace. Look for:
| Indicator | Where to Find It |
|---|---|
| RDP connections between internal hosts | DeviceLogonEvents (LogonType = RemoteInteractive) |
| PsExec usage | DeviceProcessEvents (FileName = “psexec.exe” or “psexesvc.exe”) |
| WMI remote execution | DeviceProcessEvents (InitiatingProcessFileName = “wmiprvse.exe”) |
| Pass-the-hash | Defender for Identity alerts (NTLM authentication anomalies) |
| Service creation on remote hosts | DeviceRegistryEvents, DeviceEvents |
| Unusual admin logons | Entra ID sign-in logs, DeviceLogonEvents |
Step 4: Contain simultaneously
Do not contain one device at a time. In a multi-stage attack, containing the first device alerts the attacker to move faster on the others.
Best practice: Identify all compromised devices, then contain them simultaneously — isolate all devices and disable all compromised accounts at the same time.
Scenario: Elena traces a ransomware attack chain
Elena at Atlas Bank is called in for a ransomware incident. Three servers are already encrypted.
Timeline reconstruction:
- Day 0 (2 weeks ago): Phishing email to a finance analyst. Defender for Office 365 shows the email had a malicious macro attachment.
- Day 1: The analyst opened the attachment. MDE shows
winword.exespawningpowershell.exe(ASR rule was in Audit mode, not Block). - Days 2-10: The attacker established persistence (scheduled task), escalated privileges (Kerberoasting a service account), and moved laterally via PsExec to 5 servers.
- Day 11: The attacker accessed the file server and exfiltrated 50 GB of data to a cloud storage service (MDCA detected the upload but the alert was missed).
- Day 14: Ransomware deployed across 3 servers simultaneously.
Elena’s response:
- Isolate all 5 compromised servers + the analyst’s workstation simultaneously
- Disable the compromised service account and the analyst’s account
- Reset the service account password (25+ character random)
- Engage the backup team to begin restore from last known good backup
- Switch the “Block Office from creating child processes” ASR rule from Audit to Block
- Create indicators for all IOCs found (C2 IPs, file hashes, domains)
Key learning: The ASR rule in Audit mode and the missed MDCA alert were the two preventable gaps.
Multi-domain investigation tools
| Tool | Best For |
|---|---|
| Unified incident timeline | Chronological view of all alerts across all products |
| Investigation graph | Visual entity relationship mapping |
| Advanced Hunting | Cross-table KQL queries to find specific evidence |
| Entity pages | Deep-dive into individual users, devices, or IPs |
| Copilot for Security | AI-assisted summarisation and guided investigation |
| Threat analytics | Check if the attack matches a known campaign |
During a ransomware investigation, Elena discovers that the attacker moved from a workstation to 5 servers over 10 days using PsExec. Three servers are already encrypted. What should she do with the 2 unencrypted servers?
James is investigating a phishing-to-ransomware attack chain. He needs to identify the exact sequence of events across email, endpoint, identity, and cloud signals. Which tool provides the best chronological cross-domain view?
Elena investigates a multi-stage attack at Atlas Bank. She discovers: (1) phishing email 2 weeks ago, (2) credential theft via Kerberoasting, (3) lateral movement to 5 servers, (4) data exfiltration of 50 GB, (5) ransomware deployed on 3 servers. The ASR rule 'Block Office from creating child processes' was in Audit mode. The MDCA upload alert was missed by Tier 1. What TWO things should Elena recommend as post-incident improvements?
🎬 Video coming soon
Next up: Complex attacks often end at the endpoint. Let’s deep-dive into device investigation — timelines, live response, and collecting forensic evidence.