If you missed the first blog you can find part 1 here!
Lateral movement is where sophisticated attackers demonstrate operational tradecraft. Once they establish initial access, they must navigate networks, escalate privileges, and reach high-value targets. This is also where defenders focus detection: monitoring for suspicious remote execution, credential abuse, and unusual administrative activity.
Modern attack campaigns have adapted. APT groups and ransomware operators configure their techniques to blend with normal IT operations, using the same tools system administrators use daily. The result: average lateral movement time is 48 minutes, with the fastest breakout at 51 seconds.
We designed our test to mimic sophisticated adversary tradecraft. The configuration used living off the land techniques, continued normal activity from compromised hosts, and targeted busy infrastructure. The results demonstrate what happens when attackers use operational security practices common in modern campaigns.
Living off the land: Legitimate tools, malicious intent
PowerShell appears in 71% of living off the land attacks. WMI, PsExec, and RDP follow close behind. These tools are built into Windows, signed by Microsoft, and used daily by IT administrators.
The SUNBURST campaign demonstrated this. FireEye described their OPSEC as "some of the best observed." They used minimal custom malware, living off the land via native Windows tools for reconnaissance and lateral movement.
Ransomware operators adopted the same playbook. BlackCat (ALPHV) struck Change Healthcare in February 2024, with UnitedHealth paying a $22 million ransom. LockBit operators used PsExec to execute PowerShell beacons. Fog ransomware targeting education uses PowerShell and WMI.
These tools are standard in modern attacks. An IT administrator using PsExec to deploy software looks identical to an attacker using PsExec for lateral movement. Detection that relies on blocking malicious tools fails when attackers use the operating system itself.
Compromised hosts continuing normal operations
Sophisticated attackers allow legitimate work to continue from compromised systems. When they take over a workstation or server, normal business operations persist while attack activities occur in parallel. This defeats detection rules looking for accounts suddenly behaving abnormally.
Our test included this approach. Compromised hosts continued normal activities: standard applications, expected network connections, typical file access. Attack operations (lateral movement, credential dumping) occurred alongside legitimate activity.
SUNBURST demonstrated exceptional tradecraft by matching C2 infrastructure hostnames to legitimate victim hostnames and using IP addresses from the same country. Malicious activity appeared normal because it was embedded within normal operations.
Detection rules that trigger on "unusual account behavior" fail when attackers preserve normal behavior. If a compromised workstation continues accessing the same file shares and running the same applications, behavioral anomaly detection sees nothing unusual.
Targeting busy infrastructure
Domain controllers, file servers, and database servers generate enormous connection volumes. Hundreds of workstations connect daily. Dozens of administrators manage them. This creates perfect cover.
Our test targeted file servers and domain controllers. These systems experience constant administrative activity. Remote PowerShell sessions, WMI queries, service account authentications occur continuously. A few more connections from compromised accounts disappear into the noise.
Volt Typhoon targeting U.S. critical infrastructure specifically targeted busy systems where activity would blend. Detection rules for "unusual connections to domain controllers" generate thousands of false positives when every workstation authenticates continuously.
The dilemma is fundamental. Lower the threshold and operations teams drown in false positives. Raise it and attackers operate below the limit.
Timing attacks to match IT operations
Sophisticated attackers study target environments. They identify maintenance windows. They observe when administrative activity peaks. They configure lateral movement to occur during these windows.
Our test included this. Lateral movement occurred during business hours (7am-9pm), when IT administrators perform routine maintenance. Detection rules for "after-hours administrative activity" see nothing suspicious.
SUNBURST remained dormant for up to two weeks, then operated during business hours with timing matching legitimate traffic. Volt Typhoon from 2023-2025 moved slowly over months, conducting reconnaissance during business activity and lateral movement during maintenance windows.
Unsophisticated vs. sophisticated lateral movement
Unsophisticated attackers use obvious techniques. They deploy custom scanning tools generating distinctive traffic. They use Nmap creating identifiable connection sequences. They deploy remote access trojans with known signatures. They move rapidly without operational security. They use odd service accounts that rarely authenticate. Traditional rules detect these easily.
Sophisticated attackers avoid these mistakes. They use built-in Windows tools appearing in legitimate activity. They use valid stolen credentials. They move during business hours at administrative speeds. They continue normal operations from compromised systems. They target busy infrastructure. They configure techniques to evade deployed detection rules.
Impacket, a collection of Python scripts for working with Windows protocols was the second most detected threat in 2023-2024 according to Red Canary. The tool implements low-level protocols allowing attackers to "blend in the background noise," making lateral movement difficult to distinguish from legitimate administrative activity. BlackCat used Impacket's smbexec during attacks, and the tool appears across APT groups and ransomware operators alike.
Our test configuration and results
We designed lateral movement to use techniques documented in sophisticated campaigns. Compromised workstations used legitimate service account credentials. Lateral movement used PowerShell remoting and WMI, not custom tools. Remote execution occurred during business hours (8am-7pm). Compromised hosts continued normal user activity. Targets included file servers and domain controllers where hundreds of daily connection attempts are expected.
Three common detection rules were evaluated:
Rule 1: Unusual administrative tool usage
Result: Zero detections. PowerShell, WMI, and remote services are used constantly in enterprise environments. The detection rule was tuned to avoid false positives from legitimate IT operations. This tuning created exactly the detection gap that attackers exploit.
Rule 2: After-hours administrative activity
Result: Zero detections. All lateral movement occurred during 8am-7pm business hours, when IT staff perform most administrative tasks. The rule only triggers for 7pm-8am activity, creating a 13-hour daily window where lateral movement is invisible.
Rule 3: Connection counting to domain controllers
Result: Zero detections. Domain controllers receive 400+ legitimate connection attempts daily from workstations, administrators, and service accounts. The detection rule threshold was set at 50+ connections per hour to avoid false positives. Attack traffic (6-8 connections per compromised host) was completely invisible below this threshold.
These results reflect what sophisticated adversaries achieve in production environments. When attackers use operational security practices that mimic legitimate IT operations, rule-based detection loses visibility.
Why analyzing intent over time reveals attacks
DeepTempo's LogLM detected 100% of lateral movement flows (197 out of 197). This is not because LogLM detected "unusual PowerShell" or "suspicious WMI." The foundation model learns structural signatures of malicious activity patterns.
Individual PowerShell sessions appear legitimate: proper authentication, expected protocols, reasonable timing. But observing how actions unfold reveals intent. The pattern of credential usage across endpoints, the sequence of service account authentications, the temporal distribution of remote execution all form a structural signature indicating lateral movement.
Legitimate IT administration shows different long-horizon behavior. An administrator troubleshooting connects sequentially, runs diagnostics, reviews results, disconnects. Their activity shows investigation patterns. An attacker shows enumeration patterns: scan, validate, pivot, persist. The structural signatures are distinct.
Attackers can use legitimate tools, operate during business hours, continue normal activity, and target busy infrastructure. But they cannot make their attack sequences match legitimate administration while accomplishing reconnaissance and pivoting objectives.
The foundation model creates behavioral embeddings capturing these structural patterns. A service account authenticating to 15 systems in 20 minutes while executing WMI queries reveals different intent than the same account running scheduled tasks. Individual flows may look identical. The temporal structure is different.
This explains why LogLM achieved 100% detection. The model evaluates extended behavioral sequences rather than matching tool usage or connection patterns against thresholds.
What this means for defenders
Living off the land is standard practice. State APT groups like Volt Typhoon use these techniques. Ransomware operators from LockBit to BlackCat to Fog implement them. The operational security principles are documented in incident response reports.
Detection engineers face a fundamental challenge. The tools attackers use (PowerShell, WMI, PsExec, RDP) are the same tools IT needs. Blocking them breaks operations. Detecting misuse requires distinguishing legitimate administration from attacks when both use identical tools.
Traditional approaches add correlation logic, lower thresholds, or implement behavioral baselines. But detection timelines remain challenging: mean time to identify was 194 days in 2024, while attackers begin lateral movement within 48 minutes on average.
Foundation models that learn structural signatures of attack sequences provide an alternative. Instead of writing rules for specific tools or patterns, the model learns what malicious activity looks like when observed over time.
Our test demonstrates this. Traditional rules detected zero lateral movement flows. LogLM detected all 197 flows because the temporal structure of activity revealed intent despite legitimate tools, business hours, and operational cover.
Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!
