To detect lateral movement on Windows infrastructure I recommend to collect the following events:

It’s based on events (4648 + 4672 from member servers, 8004 from DCs) + network traffic (AS/TGS).

Regarding both event 4648 (A logon was attempted using explicit credentials) and event 4672 (Special privileges assigned to new logon):
=> Collect events and send to a SIEM (splunk, logrythm …) or even Windows Event collector (WEF)

Reference for WEF and event forwarding:

Deploying WinRM using Group Policy:

Microsoft official document well documented:

Detecting Lateral movement using Event logs:

Previous version:

Fresh How-to from Intrusion detection perspective:

How-to easy to follow from Intrusion detection perspective: same than previous one but more appendix

From Intrusion detection perspective: help to manage error of WEF deployment


ANSSI AD control paths:

Lucas Bouillot, Emmanuel Gras – ANSSI – 2014 Presented at the French conference SSTIC-2014. Slides and paper can be found here: