Detecting Lateral Movement with Zeek Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spray, Kerberos ticket anomalies, and large internal data transfers indicative of staging or exfiltration between hosts. When to Use - Hunting for lateral movement after an initial compromise indicator is found on one endpoint - Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network - Monitoring SMB traffic for unauthorized file transfers to admin shares (C$, ADMIN$, IPC…

, 'C

Detecting Lateral Movement with Zeek Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spray, Kerberos ticket anomalies, and large internal data transfers indicative of staging or exfiltration between hosts. When to Use - Hunting for lateral movement after an initial compromise indicator is found on one endpoint - Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network - Monitoring SMB traffic for unauthorized file transfers to admin shares (C$, ADMIN$, IPC…

, 'IPC

Detecting Lateral Movement with Zeek Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spray, Kerberos ticket anomalies, and large internal data transfers indicative of staging or exfiltration between hosts. When to Use - Hunting for lateral movement after an initial compromise indicator is found on one endpoint - Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network - Monitoring SMB traffic for unauthorized file transfers to admin shares (C$, ADMIN$, IPC…

]):\n severity = \"HIGH\" if 'ADMIN

Detecting Lateral Movement with Zeek Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spray, Kerberos ticket anomalies, and large internal data transfers indicative of staging or exfiltration between hosts. When to Use - Hunting for lateral movement after an initial compromise indicator is found on one endpoint - Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network - Monitoring SMB traffic for unauthorized file transfers to admin shares (C$, ADMIN$, IPC…

in share_upper or 'C

Detecting Lateral Movement with Zeek Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spray, Kerberos ticket anomalies, and large internal data transfers indicative of staging or exfiltration between hosts. When to Use - Hunting for lateral movement after an initial compromise indicator is found on one endpoint - Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network - Monitoring SMB traffic for unauthorized file transfers to admin shares (C$, ADMIN$, IPC…

in share_upper else \"MEDIUM\"\n print(f\"[{severity}] ADMIN SHARE: {entry.get('ts', '')} {src} -> {dst} ({share})\")\n\n\ndef detect_rdp_pivots(log_file, window_minutes=10):\n \"\"\"Detect RDP pivot chains from conn.log.\"\"\"\n entries = parse_zeek_log(log_file)\n rdp_sessions = [(float(e.get('ts', 0)), e.get('id.orig_h', ''), e.get('id.resp_h', ''))\n for e in entries if e.get('id.resp_p') == '3389']\n rdp_sessions.sort()\n \n # Find chains: A->B then B->C within window\n dst_arrivals = defaultdict(list)\n for ts, src, dst in rdp_sessions:\n dst_arrivals[dst].append((ts, src))\n \n for ts, src, dst in rdp_sessions:\n for arrival_ts, arrival_src in dst_arrivals.get(src, []):\n if 0 \u003c (ts - arrival_ts) \u003c window_minutes * 60:\n print(f\"[HIGH] RDP PIVOT: {arrival_src} -> {src} -> {dst} (delta: {int(ts - arrival_ts)}s)\")\n\n\ndef detect_ntlm_spray(log_file, window_seconds=300, threshold=3):\n \"\"\"Detect NTLM account spray via time-windowed burst analysis.\"\"\"\n entries = parse_zeek_log(log_file)\n user_events = defaultdict(list)\n \n for entry in entries:\n user = entry.get('username', '')\n dst = entry.get('id.resp_h', '')\n ts = float(entry.get('ts', 0))\n if user and user != '-':\n user_events[user].append((ts, dst))\n \n for user, events in user_events.items():\n events.sort()\n # Sliding window analysis\n for i, (ts_start, _) in enumerate(events):\n window_hosts = set()\n for j in range(i, len(events)):\n ts_j, dst_j = events[j]\n if ts_j - ts_start > window_seconds:\n break\n window_hosts.add(dst_j)\n if len(window_hosts) >= threshold:\n print(f\"[CRITICAL] NTLM ACCOUNT SPRAY: {user} authenticated to {len(window_hosts)} \"\n f\"hosts within {window_seconds}s: {', '.join(sorted(window_hosts))}\")\n break # One alert per user\n\n\ndef detect_dcsync(log_file, dc_ips=None):\n \"\"\"Detect DCSync attacks via DRS replication calls — requires DC IPs.\"\"\"\n if not dc_ips:\n print(\"[WARN] DCSync detection skipped: --dc-ips not provided. \"\n \"Specify domain controller IPs to enable this detector.\")\n return\n \n dc_set = set(dc_ips.split(\",\"))\n entries = parse_zeek_log(log_file)\n for entry in entries:\n src = entry.get('id.orig_h', '')\n dst = entry.get('id.resp_h', '')\n operation = entry.get('operation', '')\n if dst in dc_set and src not in dc_set:\n if 'DrsReplicaAdd' in operation or 'DrsGetNCChanges' in operation:\n print(f\"[CRITICAL] DCSYNC: {src} -> {dst} ({operation})\")\n\n\nif __name__ == \"__main__\":\n if len(sys.argv) \u003c 3:\n print(__doc__)\n sys.exit(1)\n \n log_type, log_file = sys.argv[1], sys.argv[2]\n \n # Parse optional args\n args = {sys.argv[i]: sys.argv[i+1] for i in range(3, len(sys.argv)-1, 2) if sys.argv[i].startswith('--')}\n \n if log_type == \"smb_mapping\":\n detect_admin_shares(log_file, args.get('--internal-nets'))\n elif log_type == \"conn\":\n detect_rdp_pivots(log_file, int(args.get('--window', 10)))\n elif log_type == \"ntlm\":\n detect_ntlm_spray(log_file, int(args.get('--window', 300)), int(args.get('--threshold', 3)))\n elif log_type == \"dce_rpc\":\n detect_dcsync(log_file, args.get('--dc-ips'))\n else:\n print(f\"Unknown log type: {log_type}\")\n sys.exit(1)\n","content_type":"text/x-python; charset=utf-8","language":"python","size":5682,"content_sha256":"802fd4245c916efba4480a81084837f46438f4b70e8886fc94b7f3c20aa8c996"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Detecting Lateral Movement with Zeek","type":"text"}]},{"type":"paragraph","content":[{"text":"Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spray, Kerberos ticket anomalies, and large internal data transfers indicative of staging or exfiltration between hosts.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Hunting for lateral movement after an initial compromise indicator is found on one endpoint","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Monitoring SMB traffic for unauthorized file transfers to admin shares (C","type":"text"},{"type":"math_inline","content":[{"text":", ADMIN","type":"text"}]},{"text":", IPC$)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detecting remote service execution via DCE/RPC (PsExec, schtasks, WMI lateral patterns)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Building alerting rules for internal network anomalies in a Zeek-based NSMP deployment","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Performing post-incident timeline reconstruction using Zeek logs as a network-level evidence source","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Do not use","type":"text","marks":[{"type":"strong"}]},{"text":" as a standalone detection mechanism. Zeek sees network traffic only; combine with endpoint telemetry (Sysmon, EDR) for full visibility. Encrypted SMB3 traffic may limit Zeek's visibility into file-level details.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zeek 6.0+ deployed on a network tap or SPAN port monitoring internal VLAN traffic","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zeek SMB analyzer enabled (loaded by default: ","type":"text"},{"text":"@load base/protocols/smb","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zeek DCE/RPC analyzer enabled (","type":"text"},{"text":"@load base/protocols/dce-rpc","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zeek Kerberos analyzer enabled (","type":"text"},{"text":"@load base/protocols/krb","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Python 3.8+ (standard library only)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Access to Zeek log directory (default: ","type":"text"},{"text":"/opt/zeek/logs/current/","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Familiarity with Zeek TSV log format (fields separated by ","type":"text"},{"text":"\\t","type":"text","marks":[{"type":"code_inline"}]},{"text":", header lines prefixed with ","type":"text"},{"text":"#","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Verify Zeek Log Collection","type":"text"}]},{"type":"paragraph","content":[{"text":"Confirm that Zeek is producing the required log files for lateral movement detection:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check that all required analyzers are producing logs\nls -la /opt/zeek/logs/current/conn.log\nls -la /opt/zeek/logs/current/smb_mapping.log\nls -la /opt/zeek/logs/current/smb_files.log\nls -la /opt/zeek/logs/current/dce_rpc.log\nls -la /opt/zeek/logs/current/kerberos.log\nls -la /opt/zeek/logs/current/ntlm.log\n\n# Quick field check on conn.log\nzeek-cut id.orig_h id.resp_h id.resp_p proto service \u003c /opt/zeek/logs/current/conn.log | head -20","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Parse conn.log for Internal Lateral Patterns","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify connections between internal hosts on lateral-movement-associated ports:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract SMB connections (port 445) between internal hosts\nzeek-cut ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes \\\n \u003c /opt/zeek/logs/current/conn.log \\\n | awk '$5 == 445 && $7 == \"smb\"'\n\n# Extract DCE/RPC connections (port 135)\nzeek-cut ts id.orig_h id.resp_h id.resp_p service \\\n \u003c /opt/zeek/logs/current/conn.log \\\n | awk '$4 == 135'\n\n# Extract WinRM connections (port 5985/5986)\nzeek-cut ts id.orig_h id.resp_h id.resp_p service \\\n \u003c /opt/zeek/logs/current/conn.log \\\n | awk '$4 == 5985 || $4 == 5986'","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Analyze SMB Admin Share Access","type":"text"}]},{"type":"paragraph","content":[{"text":"Detect access to administrative shares (C","type":"text"},{"type":"math_inline","content":[{"text":", ADMIN","type":"text"}]},{"text":", IPC$) which is the primary vector for tools like PsExec:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check smb_mapping.log for admin share access\nzeek-cut ts id.orig_h id.resp_h path share_type \\\n \u003c /opt/zeek/logs/current/smb_mapping.log \\\n | grep -iE '(C\\$|ADMIN\\$|IPC\\$)'\n\n# Check smb_files.log for file writes to admin shares\nzeek-cut ts id.orig_h id.resp_h action path name size \\\n \u003c /opt/zeek/logs/current/smb_files.log \\\n | grep -i 'SMB::FILE_WRITE'","type":"text"}]},{"type":"paragraph","content":[{"text":"Deploy the following Zeek script to generate ","type":"text"},{"text":"notice.log","type":"text","marks":[{"type":"code_inline"}]},{"text":" alerts on admin share access:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"zeek"},"content":[{"text":"@load base/protocols/smb\n@load base/frameworks/notice\n\nredef enum Notice::Type += {\n Admin_Share_Access\n};\n\nevent smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) {\n if ( /\\$/ in path )\n NOTICE([$note=Admin_Share_Access,\n $msg=fmt(\"Admin share access: %s -> %s (%s)\", c$id$orig_h, c$id$resp_h, path),\n $conn=c]);\n}","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Detect DCE/RPC Remote Service Operations","type":"text"}]},{"type":"paragraph","content":[{"text":"Monitor for remote service creation and scheduled task registration via DCE/RPC:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Look for service control manager operations (PsExec pattern)\nzeek-cut ts id.orig_h id.resp_h endpoint operation \\\n \u003c /opt/zeek/logs/current/dce_rpc.log \\\n | grep -iE '(svcctl|atsvc|ITaskSchedulerService)'","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Detect NTLM Account Spray","type":"text"}]},{"type":"paragraph","content":[{"text":"Analyze ntlm.log for authentication anomalies indicating credential reuse. Zeek's ntlm.log does not expose password hashes, so this detection identifies a single account authenticating to many hosts in a short window — the network signature of credential spraying tools like CrackMapExec:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract NTLM authentications\nzeek-cut ts id.orig_h id.resp_h username domainname server_nb_computer_name success \\\n \u003c /opt/zeek/logs/current/ntlm.log\n\n# Failed NTLM authentications (brute force or credential testing)\nzeek-cut ts id.orig_h id.resp_h username success \\\n \u003c /opt/zeek/logs/current/ntlm.log \\\n | awk '$5 == \"F\"'\n\n# Sort by timestamp for timeline analysis\nzeek-cut ts id.orig_h id.resp_h username success \\\n \u003c /opt/zeek/logs/current/ntlm.log \\\n | sort -k1,1","type":"text"}]},{"type":"paragraph","content":[{"text":"Deploy the following Zeek script to generate ","type":"text"},{"text":"notice.log","type":"text","marks":[{"type":"code_inline"}]},{"text":" alerts when a single account touches more hosts than the threshold in a rolling window:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"zeek"},"content":[{"text":"@load base/protocols/ntlm\n@load base/frameworks/notice\n\nredef enum Notice::Type += {\n NTLM_Account_Spray\n};\n\nglobal ntlm_tracker: table[string] of set[addr] &create_expire=5min;\nconst spray_threshold = 3 &redef;\n\nevent ntlm_log(rec: NTLM::Info) {\n if ( ! rec?$username || rec$username == \"-\" )\n return;\n if ( rec$username !in ntlm_tracker )\n ntlm_tracker[rec$username] = set();\n add ntlm_tracker[rec$username][rec$id$resp_h];\n if ( |ntlm_tracker[rec$username]| >= spray_threshold )\n NOTICE([$note=NTLM_Account_Spray,\n $msg=fmt(\"NTLM account spray: %s -> %d hosts\", rec$username, |ntlm_tracker[rec$username]|),\n $sub=rec$username,\n $conn=rec$id]);\n}","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 6: Run the Automated Analysis Agent","type":"text"}]},{"type":"paragraph","content":[{"text":"Use the provided agent.py for comprehensive lateral movement detection:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"python3 agent.py /opt/zeek/logs/current/\npython3 agent.py /opt/zeek/logs/2026-03-18/ # Analyze a specific date","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Verification","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Confirm conn.log captures internal SMB (port 445) and DCE/RPC (port 135) connections with correct field parsing","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify smb_mapping.log correctly logs admin share paths (C","type":"text"},{"type":"math_inline","content":[{"text":", ADMIN","type":"text"}]},{"text":", IPC$)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Test with a known PsExec execution in a lab: expect to see SMB FILE_WRITE of the service binary followed by DCE/RPC svcctl CreateService","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Validate NTLM log parsing by performing a test authentication and confirming username, domain, and success fields are captured; verify the NTLM Account Spray Zeek script generates a ","type":"text"},{"text":"notice.log","type":"text","marks":[{"type":"code_inline"}]},{"text":" entry when the spray threshold is exceeded","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cross-reference Zeek alerts with Sysmon Event ID 1 (Process Creation) on the target host to confirm end-to-end detection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify the agent correctly handles both TSV and JSON Zeek log formats","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"detecting-lateral-movement-with-zeek","tags":["zeek","lateral-movement","smb","dce-rpc","ntlm-spray","network-forensics"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/detecting-lateral-movement-with-zeek/SKILL.md","repo_owner":"mukul975","body_sha256":"5d1872378ba155281e13a1d52d2185e3018e41ad824663bcaf59ede5e91fcb7c","cluster_key":"c0a8eb092c03208f144d16638d571e318d70a16b267ff8e7398906f48c71aace","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/detecting-lateral-movement-with-zeek/SKILL.md","attachments":[{"id":"87329a94-2941-5666-b9a3-faff52d1f8ef","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/87329a94-2941-5666-b9a3-faff52d1f8ef/attachment.md","path":"assets/template.md","size":4437,"sha256":"855f0dc8c0ee17310ee732b22c1c1afef757a108172a68417d136203c22d6e4e","contentType":"text/markdown; charset=utf-8"},{"id":"9e65ae8b-55a6-5f08-9409-e2189dcad886","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/9e65ae8b-55a6-5f08-9409-e2189dcad886/attachment.md","path":"references/api-reference.md","size":4465,"sha256":"b2010ccb858fb2efc7f5dae25ca6555062d75881cb4c6dd017c8ecca9da7b33f","contentType":"text/markdown; charset=utf-8"},{"id":"722af240-1648-5ece-8e1c-c35e513b98c4","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/722af240-1648-5ece-8e1c-c35e513b98c4/attachment.md","path":"references/standards.md","size":818,"sha256":"7f2ca50ddb97485e53efeb2918c19ff77f6cb9f289c864414705e7002c9b6703","contentType":"text/markdown; charset=utf-8"},{"id":"39027110-548d-537e-a652-f332e4d0d961","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/39027110-548d-537e-a652-f332e4d0d961/attachment.md","path":"references/workflows.md","size":4831,"sha256":"7bb5d0bf96d7cafa937ee5acd154ed0271673a58c8befaa6b259f1efd3bf3a37","contentType":"text/markdown; charset=utf-8"},{"id":"65246be7-3c01-55d2-9a6d-f51ed85ad244","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/65246be7-3c01-55d2-9a6d-f51ed85ad244/attachment.py","path":"scripts/agent.py","size":19431,"sha256":"e55c8e2b24416edbb64f07cfa144a1b00aaae0bebcfa1f99dfdf4afde5a6418d","contentType":"text/x-python; charset=utf-8"},{"id":"0200e158-54f5-500a-876c-464ede773093","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/0200e158-54f5-500a-876c-464ede773093/attachment.py","path":"scripts/process.py","size":5682,"sha256":"802fd4245c916efba4480a81084837f46438f4b70e8886fc94b7f3c20aa8c996","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"88b6d8e9f58b629777e0a788e6033c5feb75847506ac311b3eaa7630959d8bcc","attachment_count":6,"text_attachments":6,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/detecting-lateral-movement-with-zeek/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["PR.IR-01","DE.CM-01","ID.AM-03","PR.DS-02"],"subdomain":"network-security","import_tag":"clean-skills-v1","description":"Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote service execution, and anomalous internal connections.\n"}},"renderedAt":1782981912252}

Detecting Lateral Movement with Zeek Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spray, Kerberos ticket anomalies, and large internal data transfers indicative of staging or exfiltration between hosts. When to Use - Hunting for lateral movement after an initial compromise indicator is found on one endpoint - Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network - Monitoring SMB traffic for unauthorized file transfers to admin shares (C$, ADMIN$, IPC…