{
	"id": "f4b2f7fa-22eb-4a43-b0eb-d73b05c03b71",
	"created_at": "2026-04-06T02:11:30.301067Z",
	"updated_at": "2026-04-10T03:19:57.632019Z",
	"deleted_at": null,
	"sha1_hash": "20f4f13ce2ab05f8a64ef2098418b3c2b93a045e",
	"title": "Detecting Lateral Movement Using Sysmon and Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2998429,
	"plain_text": "Detecting Lateral Movement Using Sysmon and Splunk\r\nBy David French\r\nPublished: 2020-09-28 · Archived: 2026-04-06 01:57:34 UTC\r\n4 min read\r\nSep 30, 2018\r\nPress enter or click to view image in full size\r\nDetecting an attacker moving laterally in your environment can be a challenge. It can be difficult to obtain the logs\r\nrequired to identify this activity and differentiate between what is normal versus what is malicious.\r\nThis post highlights a few things that you can look for to detect an attacker moving between hosts. With Sysmon\r\ninstalled on Windows hosts and the events being sent to SIEM, you can detect attempts to move laterally and\r\nquestions during incident response can be answered in minutes versus hours.\r\nNote, if you decide to implement any of the monitoring and detection detailed in this post in a production\r\nenvironment, it’s likely that some tuning will be required to filter benign or expected behavior.\r\nInstall and Configure Sysmon on a Windows Host\r\nhttps://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc\r\nPage 1 of 8\n\nDownload Sysmon and install it on the Windows host as follows.\r\nsysmon -i -n\r\nPress enter or click to view image in full size\r\nYou can view Sysmon events locally by opening Event Viewer and navigating to Microsoft — Windows —\r\nSysmon — Operational. You can see that Sysmon logged the creation of a new process, powershell.exe , in the\r\nimage below.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc\r\nPage 2 of 8\n\nAdd the following text to the inputs.conf file.\r\n[WinEventLog://Microsoft-Windows-Sysmon/Operational]\r\ndisabled = false\r\nrenderXml = true\r\nPress enter or click to view image in full size\r\nSysmon events from the host can be found in Splunk under sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational”\r\nPress enter or click to view image in full size\r\nhttps://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc\r\nPage 3 of 8\n\nInstall the Splunk “Add-on for Microsoft Sysmon”\r\nDownload the add-on from https://splunkbase.splunk.com/app/1914/#/overview\r\nUnzip the contents of the compressed file to C:\\Program Files\\Splunk\\etc\\apps on the Splunk server.\r\nPress enter or click to view image in full size\r\nRestart Splunk Light.\r\nGet David French’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nEvents in sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” should be parsed into the\r\nappropriate fields.\r\nhttps://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc\r\nPage 4 of 8\n\nPress enter or click to view image in full size\r\nSysmon Event Codes\r\nIn the examples below, we are interested in the following Sysmon event IDs:\r\nEvent ID 1: Process creation\r\nEvent ID 3: Network connection\r\nRefer to the official Sysmon page for further details on the various Event Codes: https://technet.microsoft.com/en-us/sysinternals/sysmon\r\nPress enter or click to view image in full size\r\nhttps://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc\r\nPage 5 of 8\n\nDetecting an Attacker Establishing SMB Sessions to Move Laterally\r\nThe attacker uses the following command or similar to establish a session to the victim.\r\nnet use \\\\192.168.1.88\r\nWindows Admin Shares is MITRE ATT\u0026CK Technique T1077.\r\nPress enter or click to view image in full size\r\nSearch sysmon events in Splunk to identify the suspicious SMB (Port 445) session established between the two\r\nWindows hosts. See the search string below.\r\nsourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” 192.168.1.90 445\r\n| table _time, EventCode, EventDescription, host, SourceIp, src_port, User, DestinationIp, Destinatio\r\nPress enter or click to view image in full size\r\nExecute netstat nao | find “ESTABLISHED” on the victim computer to view the established SMB session to the\r\nattacker.\r\nPress enter or click to view image in full size\r\nIs it normal for a SMB session to be established between these two hosts? Analyze events in your environment,\r\nunderstand what is normal in terms of process creation/termination and network connections established between\r\nhosts, and have your analysts investigate and identify abnormal activity.\r\nhttps://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc\r\nPage 6 of 8\n\nDetecting an Attacker Using PowerShell to Move Laterally\r\nWindows RemoteManagement (WinRM) traffic initiated via PowerShell will be transmitted over ports 5985 and\r\n5986.\r\nWindows Remote Management is MITRE ATT\u0026CK Technique T1028.\r\nIn this example, the attacker executes the commands below to remotely execute scripts on the victim or establish a\r\nconnection to the victim.\r\nPress enter or click to view image in full size\r\nIn Splunk, we can see the following Sysmon events to identify the suspicious activity.\r\nWe can see WinRM traffic from the attacker to the victim over port 5985.\r\nsourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” 5985 OR 5986\r\n| table _time, EventCode, EventDescription, host, SourceIp, src_port, User, DestinationIp, Destinatio\r\nPress enter or click to view image in full size\r\nWe can see the WinRM Remote PowerShell process (wsmprovhost.exe) on the victim start the ping.exe and\r\nsysteminfo.exe processes. We can also see the strings entered on the command line. Would this behavior be\r\nhttps://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc\r\nPage 7 of 8\n\nnormal in your environment?\r\nsourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” wsmprovhost.exe\r\n| table _time, EventCode, EventDescription, host, Image, ProcessID, ParentProcessId, CommandLine\r\nPress enter or click to view image in full size\r\nIt is possible that the above activity happens often in your environment, which can make it challenging to\r\ndifferentiate between expected and malicious activity. Attackers will use tools that are native to the OS in the hope\r\nthat their activities go unnoticed. It is important to be familiar with what’s normal in your environment and\r\nmonitor for behavior that is out of the ordinary.\r\nSource: https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc\r\nhttps://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc"
	],
	"report_names": [
		"detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc"
	],
	"threat_actors": [],
	"ts_created_at": 1775441490,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20f4f13ce2ab05f8a64ef2098418b3c2b93a045e.pdf",
		"text": "https://archive.orkl.eu/20f4f13ce2ab05f8a64ef2098418b3c2b93a045e.txt",
		"img": "https://archive.orkl.eu/20f4f13ce2ab05f8a64ef2098418b3c2b93a045e.jpg"
	}
}