Ransomware Lateral Movement in 2026: Detection Opportunities (Part 1/2)

TLP:CLEAR | 27 February 2026

Ransomware lateral movement techniques in 2026 are increasingly identity-led, cloud-aware, and executed through legitimate admin channels, forcing defenders to prioritise high-fidelity telemetry, behavioural analytics, and rapid containment.

Download MITRE ATT&CK Navigator TTPs as as JSON Layer / Excel

Key Takeaways

• Lateral movement is still the decisive phase: Barracuda reports that 96% of incidents involving lateral movement culminated in ransomware deployment, making internal movement the clearest “breakpoint” for SOCs to stop impact (Barracuda Managed XDR findings).
• Identity is the primary movement plane: Unit 42 attributes 65% of initial access to identity-based techniques and highlights 90% of incidents involving identity weaknesses, reinforcing that most “movement” now looks like authentication and authorisation misuse rather than exploitation (Unit 42 2026 Global Incident Response Report overview).
• Perimeter device exploitation remains a top enabler: Barracuda observed 90% of ransomware incidents exploiting firewalls via CVEs or compromised accounts, and Fortinet vulnerabilities continue to appear in government “known exploited” and advisory workflows (Barracuda findings, CISA KEV catalogue).
• Hybrid identity increases blast radius: Microsoft documents Storm-0501 pivoting between on-prem and cloud, including abuse of Entra Connect Sync and cloud-side destructive actions, compressing containment timelines (Microsoft on Storm-0501 hybrid attacks, Storm-0501 cloud-based shift).
• Supply chain and MSP/RMM compromise multiplies victims: Group-IB characterises supply chain attacks as a dominant threat driver in 2026, while Sophos shows how RMM compromise can directly enable multi-customer deployment pathways (Group-IB HTCT 2026 announcement, Sophos on DragonForce targeting SimpleHelp RMM).

Executive Summary

As of 27 February 2026, ransomware lateral movement has become faster, more identity-led, and increasingly executed through legitimate administrative channels rather than bespoke malware, compressing the detection-to-containment window for most defenders (Unit 42 2026 incident response findings). Access broker initial access and perimeter device exploitation continue to provide high-quality footholds that arrive with working credentials and network adjacency, enabling rapid lateral expansion if east-west telemetry is weak (CrowdStrike 2025 threat report findings, Barracuda firewall exploitation findings). Hybrid identity estates (on-prem AD plus Entra ID plus SaaS) expand blast radius because attackers can pivot using tokens, service principals, and sync infrastructure, often bypassing traditional network choke points (Microsoft token protection guidance, CISA Hybrid Identity Solutions Guidance). For SOC and detection engineering teams, the practical priority in 2026 is to collect the right telemetry, detect the earliest movement primitives (remote services, service creation, identity control-plane changes), and execute rehearsed containment within minutes.

2026 Threat Landscape:

Access brokers and initial access markets compress timelines

The ransomware ecosystem’s “division of labour” continues to mature: initial access brokers (IABs) obtain footholds and monetise them, while ransomware affiliates buy access and focus on privilege escalation, lateral movement, and impact. CrowdStrike reports access broker advertisements surged 50% year-over-year, reinforcing that many intrusions now start with valid credentials for RDP, VPN, portals, or managed services (CrowdStrike 2025 findings, CrowdStrike 2025 report PDF). The UK NCSC and NCA describe how criminal ecosystems specialise and monetise stages of the attack chain, which aligns with IAB-driven operating models and repeatable ransomware playbooks (NCSC/NCA ransomware ecosystem white paper).

Detection implication: brokered access frequently bypasses exploit telemetry. Early warning must therefore emphasise authentication anomalies, session hijack indicators, and “first-time admin activity” from accounts that historically did not administer infrastructure.

Supply chain, MSP, and cloud/SaaS compromise paths increase blast radius

Third-party compromise is no longer an edge case. Verizon’s 2025 DBIR reports third-party involvement in 30% of breaches, up from roughly 15% the prior year, highlighting how inherited trust can deliver privileged connectivity and identity federation to attackers (Verizon 2025 DBIR PDF). Group-IB’s High-Tech Crime Trends Report framing for 2026 emphasises ecosystem-wide compromise that exploits trusted vendors, open-source software, SaaS platforms, and managed service providers (Group-IB HTCT 2026 announcement). MSP/RMM compromise remains a direct path to multi-victim lateral movement: Sophos documents DragonForce actors targeting SimpleHelp RMM to reach MSP customers via legitimate management channels (Sophos on DragonForce targeting SimpleHelp RMM).

Detection implication: treat third-party and management-plane logs as Tier 0 telemetry. You rarely “detect the malware” first; you detect the abuse of trust first.

Perimeter and edge device exposure continues to drive initial access

Perimeter device exploitation remains a persistent enabler because boundary devices often sit at high-trust junctions (routing reachability, authentication context, administrative interfaces). Barracuda’s 2026 reporting links 90% of ransomware incidents to firewall exploitation or compromised firewall accounts (Barracuda findings). Fortinet firewall vulnerabilities provide a representative example of a frequently targeted firewall class: CVE-2024-55591 (FortiOS/FortiProxy authentication bypass) and CVE-2025-64446 (FortiWeb path traversal) both have high CVSS scores and are documented as exploited in the wild via government and vendor reporting (Fortinet Advisory for CVE-2024-55591, NVD, Fortinet Advisory for CVE-2025-64446, NVD, CISA advisory on FortiWeb exploitation).

Detection implication: edge telemetry must be correlated to internal east-west movement. The first internal pivot often happens minutes after successful edge admin or VPN access.

Hybrid identity environments increase blast radius

Dedicated subsection: Hybrid identity blast radius

Hybrid identity collapses traditional containment boundaries because authentication and authorisation decisions span on-prem AD, Entra ID, and SaaS. Microsoft documents Storm-0501 performing multi-stage operations across hybrid environments and shifting towards cloud-based ransomware actions, including destructive tenant-side operations (Microsoft on Storm-0501 hybrid attacks, Storm-0501 cloud-based shift). Microsoft’s guidance on token theft and replay highlights why defenders cannot treat “password reset” as sufficient if tokens and sessions remain valid (Protecting Tokens in Microsoft Entra ID). CISA’s Hybrid Identity Solutions Guidance reinforces the need to secure hybrid identity architecture and treat sync and identity infrastructure as critical assets (CISA Hybrid Identity Solutions Guidance).

Detection implication: lateral movement is increasingly cloud lateral movement. SOCs must monitor identity control-plane changes (role assignment, app consent, service principal credentials, sync server access) with the same urgency as DC compromise.

Initial Access Paths That Enable Lateral Movement

Below are common pre-lateral vectors, framed for defenders as: what to log first, the most common failure mode, and a high-signal detection idea.

A) Perimeter devices: VPNs, firewalls, secure web gateways, remote access appliances (Fortinet as a recurring target class)

• Log first (data sources)
  • VPN authentication logs (success/failure, MFA outcomes), device admin login events, configuration change logs
  • East-west flow metadata from the perimeter device interfaces (new internal connections post-authentication)
  • Any exported IDS/WAF events for management endpoints and admin portals
• Most common failure mode
  • Internet-exposed management interfaces and delayed remediation of known exploited flaws (for example, Fortinet firewall vulnerabilities that later appear in KEV-style workflows) (CISA KEV catalogue, Fortinet Advisory for CVE-2024-55591).
• High-signal detection idea (vendor-agnostic)
  • Correlate successful admin/VPN authentication with first-time internal admin protocol use (SMB/RDP/WinRM/SSH) from the same source or appliance within a short window.
  • Pseudocode: edge_auth_success AND within 10m (internal_conn to 445/3389/5985/22) AND src not in known_admin_sources

B) File transfer solutions: managed file transfer (MFT) and internet-exposed transfer tooling

• Log first
  • Web server access logs for upload/download and admin endpoints
  • Application audit logs (new users, token creation, config changes)
  • Host EDR telemetry for child processes spawned by the transfer service
• Most common failure mode
  • Treating MFT as an “appliance” with weak monitoring and over-privileged service accounts.
• High-signal detection idea
  • Detect web-facing MFT processes spawning shells/scripting engines or compression utilities, paired with outbound data spikes.
  • Consider MOVEit Transfer exploitation as a canonical example of MFT compromise enabling downstream access (Progress advisory for CVE-2023-34362, NVD, CISA #StopRansomware advisory on CL0P MOVEit exploitation).

C) MDM and endpoint management: MDM compromise, device enrolment abuse, stolen admin sessions, token theft

• Log first
  • MDM admin audit logs (role changes, policy/script/app deployment, remote actions)
  • Entra ID audit logs for service principal credential updates and admin consent activity
  • Device enrolment events and compliance state transitions
• Most common failure mode
  • Over-privileged MDM roles and service principals, weak Conditional Access scoping, and inadequate governance of device enrolment.
• High-signal detection idea
  • Alert when new device enrolment is followed by privileged sign-ins or mass script/app deployments shortly afterwards.
  • Google Cloud’s Mandiant team has documented abuse of Intune permissions for lateral movement and privilege escalation in Entra ID environments (Abusing Intune permissions in Entra ID environments).

D) Supply chain: software update poisoning, compromised CI/CD, third-party support tooling, MSP/RMM abuse

• Log first
  • CI/CD and build pipeline audit logs (signing, approvals, artefact integrity checks)
  • Third-party support tooling logs (remote sessions, file transfers, scripted execution)
  • RMM platform audit logs (agent deployments, remote shell commands, policy pushes)
• Most common failure mode
  • Implicit trust in supplier update channels or MSP tooling with insufficient segregation and monitoring of third-party privileged access (Verizon 2025 DBIR PDF, UK Software Security Code of Practice, updated 15 Jan 2026).
• High-signal detection idea
  • Detect new remote management agents or remote execution tooling installed outside the approved software catalogue, particularly when installation originates from third-party accounts or endpoints.
  • For MSP/RMM blast radius, Sophos’ DragonForce case study is a practical model (Sophos on DragonForce targeting SimpleHelp RMM).

E) Cloud vendors and SaaS: identity provider compromise, OAuth abuse, stolen refresh tokens, SSO misconfigurations

• Log first
  • Entra ID sign-in and audit logs (app registrations, consent grants, role assignments, service principal credential changes)
  • Cloud provider audit logs (Azure Activity, AWS CloudTrail, GCP Audit Logs)
  • SaaS admin audit logs (mailbox exports, sharing changes, API key creation)
• Most common failure mode
  • Unrestricted OAuth consent and insufficient review of application permissions and service principal secrets/certificates (Protecting Tokens in Microsoft Entra ID).
• High-signal detection idea
  • Alert on new OAuth app consent requesting high-privilege scopes followed by high-volume API access from unfamiliar IP ranges or user agents.
  • Token replay is a core risk driver; Microsoft provides both defensive guidance and investigative playbooks (Token theft playbook, Protecting Tokens in Microsoft Entra ID).

Lateral Movement Techniques Used by Ransomware Operators

The modules below map to MITRE ATT&CK (Enterprise) and are written as detection-first “playbooks”: prerequisites, operator workflow, telemetry, analytics, and first-30-minute containment actions.

Module 1: Remote services fan-out (SMB, RDP, WinRM, SSH)

• ATT&CK mapping
  • T1021.002 (SMB/Windows Admin Shares), T1021.001 (RDP), T1021.006 (WinRM), T1021.004 (SSH)
• Preconditions
  • Valid credentials, cached tokens, or local admin access; network reachability to remote service ports.
• How it is executed
  • Operators validate reachability and privilege, then pivot interactively (RDP/SSH) or semi-interactively (WinRM/SMB). This commonly follows brokered VPN/RDP access and quickly becomes lateral tool transfer plus remote execution.
• Windows, Linux, cloud variants
  • Windows: SMB admin shares for staging plus WinRM for execution.
  • Linux: SSH with stolen passwords/keys.
  • Cloud: Bastions and remote management channels replicate the same movement pattern with identity-driven authorisation.
• Telemetry to collect
  • Windows Security: 4624 (LogonType 3 for SMB, 10 for RDP), 4625, 4648; share access 5140/5145; RDP gateway logs if used.
  • Endpoint: process creation and network connections.
  • Network: east-west flow logs for 445/3389/5985/22.
• Detection engineering notes
  • High-signal: “first-time admin protocol” by a user or host, especially soon after VPN auth.
  • Pitfalls: legitimate admin work. Baseline by jump host, admin group, and subnet.
• Containment (first 30 minutes)
  • Isolate the source pivot host, disable or restrict compromised accounts, and apply emergency segmentation to block 445/3389/5985/22 between user subnets and server tiers where feasible.
  • If hybrid accounts are suspected, revoke cloud sessions/tokens immediately (Microsoft token theft playbook).

Module 2: PsExec-style service execution and scheduled tasks at scale

• ATT&CK mapping
  • T1569.002 (Service Execution), T1053.005 (Scheduled Task)
• Preconditions
  • Local admin or equivalent rights on targets; often requires SMB access to ADMIN$.
• How it is executed
  • Operators use service creation (sc.exe) and scheduled tasks (schtasks.exe) for distributed execution, frequently staging payloads via admin shares and triggering near-simultaneous execution to compress response time.
• Windows, Linux, cloud variants
  • Windows: SCM and Task Scheduler.
  • Linux: systemd/cron over SSH.
  • Cloud: remote execution services (SSM Run Command, VM extensions) mirror this pattern.
• Telemetry to collect
  • Windows: 7045/4697 (service install), 4698 (task creation), 4688 (process creation), Sysmon if deployed.
• Detection engineering notes
  • High-signal: service/task creation across multiple hosts by the same account within 5–10 minutes.
  • Pitfall: software deployment platforms (SCCM/Intune). Use allow-lists of deployment accounts and management servers.
• Containment (first 30 minutes)
  • Disable the initiating account, block lateral write paths (ADMIN$) between non-management hosts, stop and delete suspicious services/tasks, and isolate any host that received a burst of service installs.

Module 3: WMI and DCOM remote execution paths

• ATT&CK mapping
  • T1047 (WMI), T1021.003 (DCOM)
• Preconditions
  • Administrative credentials; RPC/DCOM reachability (135 plus dynamic ports).
• How it is executed
  • Remote process creation via WMI (native tooling and scripts) and DCOM object invocation. These methods blend into management traffic and can be chained with credential replay.
• Windows, Linux, cloud variants
  • Primarily Windows; in mixed estates, SSH or management tools fill the Linux role.
• Telemetry to collect
  • WMI-Activity operational logs; endpoint process lineage (wmiprvse.exe children); RPC network flows.
• Detection engineering notes
  • High-signal: wmiprvse.exe spawning cmd.exe/powershell.exe on non-management hosts, or WMI remote execution originating from a workstation subnet.
  • Pitfall: SCCM and legitimate inventory tooling. Filter by origin host class and time windows.
• Containment (first 30 minutes)
  • Block RPC/DCOM between workstation segments, restrict remote WMI to management subnets, and isolate the WMI originator host.

Module 4: Credential replay (Pass-the-Hash, Pass-the-Ticket) and token impersonation

• ATT&CK mapping
  • T1550.002 (Pass the Hash), T1550.003 (Pass the Ticket), T1134 (Access Token Manipulation)
• Preconditions
  • NTLM hashes, Kerberos tickets, or tokens extracted from endpoints, often following credential dumping and local privilege escalation.
• How it is executed
  • Operators authenticate laterally without ever obtaining plaintext passwords. In hybrid estates, the “token equivalent” is often cloud session artefacts; defenders must treat token replay as lateral movement, not “just identity”.
• Windows, Linux, cloud variants
  • Windows: NTLM/Kerberos replay and token impersonation.
  • Cloud: replay or abuse of access tokens and refresh tokens (Protecting Tokens in Microsoft Entra ID).
• Telemetry to collect
  • Windows: Kerberos events (4768/4769), special privilege use (4672), explicit credential use (4648), NTLM auth telemetry where available.
  • Identity: sign-in risk signals and session revocation events.
• Detection engineering notes
  • Focus on mismatched authentication patterns: high-privilege account authenticating from a workstation, sudden NTLM spikes, or “credential use without interactive login history”.
• Containment (first 30 minutes)
  • Rotate compromised credentials, purge Kerberos tickets where feasible, and revoke cloud sessions/tokens for impacted identities (Microsoft token theft playbook).

Module 5: Active Directory discovery and privilege pathing (BloodHound-style)

• ATT&CK mapping
  • T1087.002 (Domain Account Discovery), T1069.002 (Domain Groups Discovery), T1018 (Remote System Discovery), T1482 (Domain Trust Discovery)
• Preconditions
  • Any domain-authenticated session.
• How it is executed
  • Attackers enumerate group membership, ACLs, trusts, session locations, and delegation paths to identify the shortest route to Tier 0. SpecterOps explicitly describes how defenders can use BloodHound to identify and remove attack paths before attackers exploit them (BloodHound versus Ransomware).
• Windows, Linux, cloud variants
  • Windows: LDAP-heavy enumeration and collector execution.
  • Cloud identity: equivalent graphing exists for Entra ID and Azure via AzureHound (Unit 42 on AzureHound misuse, AzureHound overview).
• Telemetry to collect
  • LDAP query volume baselines; process execution for known collectors; DC security logs; Graph API activity logs where enabled.
• Detection engineering notes
  • High-signal: burst LDAP enumeration from a workstation, SharpHound execution, or AzureHound-driven Graph enumeration patterns.
• Containment (first 30 minutes)
  • Isolate the collector host, lock down the enumerating account, and prioritise Tier 0 monitoring for follow-on actions (DCSync attempts, GPO edits, admin group changes).

Module 6: AD CS abuse and certificate-based lateral movement

• ATT&CK mapping
  • T1649 (Steal or Forge Authentication Certificates)
• Preconditions
  • Misconfigured templates, enrolment rights, or CA compromise; commonly appears in mature AD environments with complex certificate deployments.
• How it is executed
  • Attackers request or forge certificates that enable authentication as privileged principals. AD CS abuse is widely documented in defensive hardening guidance, including template hardening and monitoring recommendations (NCC Group AD CS hardening guide).
• Windows, Linux, cloud variants
  • Windows-centric for AD CS; certificates can also support cloud auth paths where federation or certificate auth is in use.
• Telemetry to collect
  • CA issuance logs, certificate request events, PKINIT-related authentication events, and privileged logons using certificate-based auth.
• Detection engineering notes
  • High-signal: certificate issuance for privileged accounts outside expected workflows, templates allowing client auth with risky subject/SAN controls.
• Containment (first 30 minutes)
  • Revoke suspicious certificates, freeze template changes, and restrict CA admin access to Tier 0 jump hosts.

Module 7: Group Policy abuse and domain-wide tasking

• ATT&CK mapping
  • T1484.001 (Group Policy Modification), T1053.005 (Scheduled Task)
• Preconditions
  • Domain Admin or delegated GPO edit rights.
• How it is executed
  • Operators modify GPOs to deploy payloads, disable security controls, or create startup scripts and scheduled tasks for scale.
• Telemetry to collect
  • DC events for directory object modifications, SYSVOL file change monitoring, GPO operational logs.
• Detection engineering notes
  • High-signal: GPO edits outside approved change windows, especially script deployment or security setting changes that affect endpoint protections.
• Containment (first 30 minutes)
  • Revert malicious GPO changes, force gpupdate to pull clean policy, and restrict GPO edit rights to minimal tiered admins.

Module 8: RMM and enterprise management tooling abuse

• ATT&CK mapping
  • T1219 (Remote Access Software)
• Preconditions
  • Ability to install an agent, or access to an existing RMM platform (compromised server, stolen creds, or supplier compromise).
• How it is executed
  • Attackers use legitimate RMM features (remote shell, file transfer, mass deployment) to blend with IT workflows. Sophos’ DragonForce analysis illustrates how RMM compromise can lead directly to cross-customer actions (Sophos on DragonForce targeting SimpleHelp RMM).
• Telemetry to collect
  • RMM audit logs (operator identity, target lists, commands), endpoint process creation for RMM tooling, network egress to RMM infrastructure.
• Detection engineering notes
  • High-signal: unapproved RMM tool installation, multiple RMM tools on one host, or mass “run command” actions outside normal IT windows.
• Containment (first 30 minutes)
  • Disable affected RMM accounts, revoke agent tokens, isolate the RMM server if compromise suspected, and block RMM egress domains for unapproved tools.

Module 9: Cloud and identity lateral movement (Entra ID, AWS, GCP)

• ATT&CK mapping
  • Entra/Azure: T1078.004 (Cloud Accounts), T1528 (Steal Application Access Token), T1098.003 (Additional Cloud Roles)
  • Cloud token use: T1550.001 (Application Access Token)
• Preconditions
  • Compromised user sessions, refresh tokens, service principal secrets/certs, or cloud credentials.
• How it is executed
  • Entra ID: OAuth consent abuse, service principal credential theft, role assignment changes, and graph-based enumeration (AzureHound) to identify privilege escalation paths (Unit 42 on AzureHound misuse).
  • AWS: access key theft and role chaining; movement via SSM for command execution and access without inbound ports (AWS Session Manager overview, Logging Session Manager activity).
  • GCP: service account key theft and project pivoting; Google Cloud notes service account keys historically did not expire by default, making theft durable without rotation (Google Cloud on time-bound key authentication).
• Telemetry to collect
  • Entra: sign-in logs, audit logs, Graph activity logs where possible, PIM audit.
  • AWS: CloudTrail management events, SSM StartSession/SendCommand trails.
  • GCP: Admin Activity logs (always enabled) and Data Access logs where needed (Google Cloud audit logging best practices).
• Detection engineering notes
  • High-signal: new privileged app consent, new service principal credential, suspicious role assignments, or abnormal Graph enumeration patterns.
  • For AWS: unusual AssumeRole chaining and SSM usage from identities that rarely use admin APIs.
  • For GCP: sudden key creation, IAM binding changes, and cross-project access spikes.
• Containment (first 30 minutes)
  • Revoke tokens/sessions, rotate secrets/keys/certs, and temporarily restrict admin actions via conditional access or break-glass policy, aligned to your environment.

Module 10: Virtualisation and backup platform pivoting

• ATT&CK mapping
  • T1490 (Inhibit System Recovery), plus Remote Services under T1021
• Preconditions
  • Access to hypervisor management (vCenter/ESXi) or backup consoles.
• How it is executed
  • Operators target recovery systems to maximise extortion leverage by disabling backup jobs, deleting snapshots, or encrypting VMs.
• Telemetry to collect
  • vCenter/ESXi auth logs, backup console audit logs (job deletion, retention change), admin API access records.
• Detection engineering notes
  • High-signal: backup job deletion outside change window, enabling ESXi SSH/shell, vCenter logins from non-admin segments.
• Containment (first 30 minutes)
  • Isolate management networks, enforce MFA for management consoles, lock down destructive backup operations to break-glass workflows, and preserve console audit data.

Module 11: Network device pivoting and boundary bridging (firewall/VPN admin plane compromise)

• ATT&CK mapping
  • T1599 (Network Boundary Bridging), often paired with T1190 (Exploit Public-Facing Application)
• Preconditions
  • Administrative control of a network device (credential theft or exploited management plane).
• How it is executed
  • Attackers modify routes, ACLs, NAT, and VPN configuration to create new east-west reachability that bypasses segmentation assumptions.
• Telemetry to collect
  • Device admin logins, configuration change logs, AAA/TACACS+/RADIUS logs, NetFlow for new internal paths.
• Detection engineering notes
  • High-signal: config change outside window that increases internal reachability, disables inspection, or creates new VPN peers.
• Containment (first 30 minutes)
  • Restore known-good config, rotate device credentials, isolate device management plane, and validate segmentation controls by active reachability tests.

Module 12: Data staging and exfiltration positioning that doubles as lateral movement

• ATT&CK mapping
  • T1074 (Data Staged), T1567 (Exfiltration Over Web Service), T1570 (Lateral Tool Transfer)
• Preconditions
  • Access to file shares, object storage, or sync tooling; often follows privilege escalation and credential replay.
• How it is executed
  • Operators centralise data on shares or cloud storage, then exfiltrate. Staging requires cross-segment access patterns that often look like lateral movement.
• Telemetry to collect
  • File share auditing, cloud storage audit logs, proxy logs for bulk uploads, DNS logs for sync tooling domains.
• Detection engineering notes
  • High-signal: a single identity accessing many shares rapidly, spikes in archive tooling referencing UNC paths, or sudden bulk cloud uploads from servers that rarely egress.
• Containment (first 30 minutes)
  • Block suspected exfil destinations at proxy/SWG, restrict share access, and isolate staging hosts while preserving evidence.

Module 13: Hybrid identity movement via Intune and cloud management planes (MDM as a movement channel)

• ATT&CK mapping
  • T1078.004 (Cloud Accounts), T1219 (Remote Access Software) in effect, and cloud management misuse patterns
• Preconditions
  • Compromised Entra service principal with high Intune permissions, or compromised MDM admin.
• How it is executed
  • Adversaries abuse Intune permissions to push scripts or configurations that execute with high privilege on managed devices, creating a scalable lateral movement mechanism that looks like legitimate device management. This is explicitly documented by Google Cloud/Mandiant as an abuse path in Entra ID native environments (Abusing Intune permissions in Entra ID environments).
• Telemetry to collect
  • Intune/MDM audit logs, Entra audit logs for service principal changes, endpoint process execution correlated to management push events.
• Detection engineering notes
  • High-signal: creation/modification of management scripts by unusual service principals, script deployment to atypical device groups, and subsequent privileged cloud sign-ins from newly managed endpoints.
• Containment (first 30 minutes)
  • Disable the implicated service principal, rotate its credentials, halt active deployments, and isolate newly enrolled or recently targeted endpoints.

Supply-Chain and Cloud Vendor Scenarios (2026 Playbooks)

Each scenario below is expressed as an attack chain (8–12 steps), followed by an ATT&CK lifecycle table and five defender breakpoints.

Scenario 1: Software supply chain compromise leading to downstream customer lateral movement

Attack chain (example sequence)

1. Attacker compromises vendor build environment or release pipeline.
2. Trojanised update is signed/distributed through normal channel.
3. Customer auto-deploys update to application tier.
4. Backdoor establishes persistence and collects credentials/tokens.
5. AD discovery and privilege pathing identify admin routes.
6. Credential replay used to access admin shares.
7. Service execution and scheduled tasks distribute payload.
8. Backup consoles and hypervisors targeted.
9. Data staged to shares/object storage.
10. Encryption and extortion executed.

ATT&CK lifecycle mapping

Defender breakpoints (stop points)

1. Build integrity and provenance: adopt secure build principles aligned to UK guidance (separation, signing, approval controls) (UK Software Security Code of Practice).
2. Update deployment monitoring: detect abnormal post-update child process execution on app servers.
3. Privileged identity monitoring: alert on first-time admin protocol use after service deployment.
4. SMB/service execution correlation: detect admin share writes plus rapid service creation across hosts.
5. Recovery-plane alerting: treat backup job deletion and hypervisor admin login anomalies as ransomware-prep.

Scenario 2: Cloud/SaaS identity compromise enabling tenant-wide movement

Attack chain (example sequence)

1. Adversary obtains cloud admin session via phishing/token theft.
2. OAuth app consent or app registration creates durable access.
3. Service principal credentials added or rotated by attacker.
4. Graph/API enumeration maps privilege relationships (AzureHound).
5. Roles assigned or elevated to reach high-impact permissions.
6. Data accessed from SaaS storage and mail.
7. On-prem pivot via sync/connectors or stolen VPN creds.
8. Remote services used to reach Tier 0 and backup platforms.
9. Recovery controls sabotaged in cloud and on-prem.
10. Extortion executed via encryption and/or destructive cloud actions.

ATT&CK lifecycle mapping

Defender breakpoints

1. Phishing-resistant MFA for privileged roles and strict conditional access (Microsoft Entra token protection).
2. Restrict OAuth consent to admin-only and alert on high-privilege consent grants.
3. Monitor Graph enumeration and AzureHound-like patterns (Unit 42 on AzureHound misuse).
4. Treat sync infrastructure as Tier 0, aligned to CISA hybrid identity guidance (CISA HISG).
5. Lock down destructive recovery actions with break-glass workflows and alerting.

Scenario 3: MSP/RMM compromise enabling cross-customer lateral movement

Attack chain (example sequence)

1. Threat actor compromises MSP credentials or RMM server.
2. Attacker uses RMM remote shell/file transfer to deploy tooling.
3. EDR/AV is disabled via scripts where possible.
4. Discovery executed across customer estates from RMM vantage.
5. Credential replay used inside each customer.
6. Remote services used to expand to servers and identity.
7. Backup/hypervisor targeting begins.
8. Payload distributed broadly via RMM tasks.
9. Coordinated detonation.
10. Extortion and negotiation operations begin.

ATT&CK lifecycle mapping

Defender breakpoints

1. Customer-side visibility into MSP actions: full audit of MSP sessions and approvals.
2. RMM allow-listing: alert on any additional remote access tooling beyond approved tools.
3. EDR independence: ensure EDR cannot be disabled via RMM policy or scripts.
4. Segmentation that limits RMM agent lateral reach: prevent agents from becoming east-west pivots.
5. Immutable/offline backups inaccessible via MSP credentials.

Detection and Monitoring:

A) Telemetry priority matrix

Retention recommendations below are defender guidance. Where vendors publish default retention or storage constraints, those are cited.

B) High-signal detection ideas

Use these as vendor-agnostic analytics patterns; translate to your SIEM/EDR query language. Where appropriate, examples are provided.

Example KQL (Sentinel) for anomalous RDP (adjust fields to your schema)

SecurityEvent
| where EventID == 4624 and LogonType == 10
| where WorkstationName !in ("JUMP01","JUMP02")
| summarize Attempts=count() by Account, IpAddress, Computer, bin(TimeGenerated, 1h)
| where Attempts > 1
| order by Attempts desc

Example Splunk SPL for rapid service creation fan-out

index=wineventlog (sourcetype=WinEventLog:System EventCode=7045) OR (sourcetype=WinEventLog:Security EventCode=4697)
| stats dc(dest) as target_count values(dest) as targets by user _time
| where target_count > 3
| sort -target_count

C) Behavioural IOCs and hunt pivots (defender IOC table)

This table deliberately focuses on behavioural and artefact-based observables that commonly appear during lateral movement. These are not campaign-unique IOCs.

D) Rule references (public)

• SigmaHQ rule repository (broad coverage; map to TA0008)
• Splunk Security Content: Lateral Movement detections
• SlimKQL hunting queries

E) Threat intelligence monitoring and early warning (operationalising CTI)

CTI is most valuable when it changes what you monitor and how you respond. As an example provider, Intel 471 publishes research on how initial access offers correlate to ransomware outcomes and highlights the operational risk posed by advertised access (Intel 471 on initial access offers and ransomware, Intel 471 ransomware incidents whitepaper landing page).

What to monitor (practical CTI inputs)

• Access broker listings: advertised VPN/RDP/portal access, especially with domain hints, geography, and stated revenue bands.
• Credential dumps and infostealer logs: corporate domains, SSO cookies, session tokens, and hostnames that match your fleet.
• Ransomware operator chatter: recruitment, tooling discussions, targeting preferences, and mentions of specific perimeter products.
• Exploit and vulnerability trends: prioritise patching and monitoring for KEV-listed and widely exploited edge CVEs (CISA KEV catalogue).

How to operationalise (no vendor lock-in)

• Ingest CTI into SIEM/SOAR, map to assets (identity, VPN endpoints, remote access infra), and automatically raise investigation tasks when broker-style indicators overlap with your environment (for example, VPN portal names, exposed management ports, or recently observed anomalous sign-ins).
• Convert CTI into detection work: if access offers mention “VPN creds”, elevate monitoring for “VPN auth → first-time admin protocol” correlation; if offers mention “tenant admin”, elevate monitoring for app consent, role grants, and service principal credential creation.

Incident Response Guidance for Lateral Movement Containment

First 15 minutes checklist (containment-first)

1. Identity containment
   • Disable suspected compromised accounts and revoke sessions/tokens immediately for hybrid and cloud identities (Microsoft token theft playbook).
2. Stop the movement plane
   • Apply emergency segmentation: block SMB/RDP/WinRM/SSH between workstation subnets; restrict to jump hosts only.
3. Isolate pivot hosts
   • Contain the first-moving hosts (often a workstation or management server) using EDR network containment or network controls.
4. Protect recovery and control planes
   • Lock down backup consoles and hypervisor management networks; monitor for job deletions and admin logins.
5. Preserve evidence before remediation
   • Capture volatile evidence on pivot hosts first, then collect logs centrally.

Evidence preservation checklist (volatile + non-volatile)

• Volatile (collect first)
  • Memory capture, running processes, active network connections, logged-on users, command history.
• Endpoint artefacts
  • Windows Event Logs, Sysmon logs, scheduled tasks, services, registry hives, prefetch, USN journal, SYSVOL change history.
• Identity and cloud
  • Export Entra sign-in and audit logs before retention windows expire; preserve CloudTrail and GCP audit exports.
• Network
  • Firewall, proxy, DNS logs; east-west flow summaries for 445/3389/5985/22; PCAP where feasible.

Domain controller and identity tiering response steps

• Confirm whether DCs or Tier 0 identity systems were accessed (privileged logons, directory replication indicators, GPO edits).
• Treat Entra Connect/identity sync infrastructure as Tier 0, consistent with hybrid identity guidance (CISA HISG).
• If token theft is suspected, rotate credentials and revoke sessions; password reset alone may not end access (Protecting Tokens in Microsoft Entra ID).

Cloud/SaaS containment steps (token revocation, consent review, key rotation)

• Revoke refresh tokens and sessions for impacted users.
• Review and revoke suspicious OAuth consents and enterprise applications; rotate service principal secrets/certificates.
• Apply emergency conditional access controls for privileged roles and risky sign-ins.
• Rotate AWS access keys and investigate role assumption anomalies; validate SSM session activity (AWS Session Manager auditing).
• Rotate and inventory GCP service account keys; monitor for new key creation and IAM binding changes (Google Cloud service account key guidance).

Ransomware staging indicators to look for (non-IOC, behavioural)

• Bulk share enumeration and sudden multi-share reads by a single identity.
• Bursts of service installs or scheduled task creation across hosts.
• Backup job deletion, immutability disable attempts, snapshot deletions, hypervisor console access.
• New OAuth app consent and immediate bulk mailbox/file access.

Mitigation Recommendations (Prioritised)

This Part 1 focuses on detection opportunities, but the mitigations below are framed as “break lateral movement quickly” controls with validation steps.

Identity hardening

• What to do
  • Enforce phishing-resistant MFA for privileged roles; minimise standing privilege; restrict and monitor service principals and app consents.
• Why it breaks lateral movement
  • Reduces credential replay and token abuse, which Microsoft highlights as a primary risk in cloud identity (Protecting Tokens in Microsoft Entra ID).
• How to validate
  • Confirm privileged sign-ins use phishing-resistant methods; alert on privileged role assignment changes and new app consent grants.

Network segmentation and admin plane separation

• What to do
  • Block workstation-to-workstation SMB/RDP/WinRM by default; enforce jump-host-only administration.
• Why it breaks lateral movement
  • Directly interrupts the most common remote services fan-out modules (T1021.002, T1021.001).
• How to validate
  • Run controlled reachability tests; continuously monitor east-west flows for prohibited protocols.

Endpoint hardening and remote management control

• What to do
  • Allow-list approved RMM tools; alert on installation/use of unapproved remote access software.
• Why it breaks lateral movement
  • RMM abuse is a common low-malware-signal execution path and can deliver mass deployment quickly (Sophos on DragonForce targeting SimpleHelp RMM).
• How to validate
  • Inventory RMM agents across endpoints; correlate RMM audit logs with endpoint process execution.

Perimeter and edge device hygiene

• What to do
  • Remove management interfaces from internet exposure; prioritise patching of KEV-listed edge CVEs and enforce MFA for device admins.
• Why it breaks lateral movement
  • Barracuda associates firewall compromise with the majority of ransomware incidents; Fortinet device exploitation continues to be documented and KEV-tracked (Barracuda findings, CISA KEV catalogue).
• How to validate
  • External attack surface scans; device admin login allow-lists; patch compliance attestation for edge fleet.

Backup and recovery resilience

• What to do
  • Implement immutable/offline backups and monitor backup control-plane actions.
• Why it breaks lateral movement
  • Backup sabotage is a high-confidence precursor to impact (T1490).
• How to validate
  • Quarterly recovery drills; alerts on job deletion/retention policy changes; separation of backup admin identities.

Historical Context and Related Vulnerabilities

The patterns below reflect historically exploited product families that commonly precede lateral movement. Specific CVEs are included only where both vendor advisory and NVD links are available.

1. Fortinet FortiOS/FortiProxy auth bypass and SSL-VPN flaws (Fortinet firewall vulnerabilities)

• Fortinet Advisory for CVE-2024-55591 and NVD
• Fortinet Advisory for CVE-2024-21762 and NVD

2. Fortinet FortiWeb management plane exploitation

• Fortinet Advisory for CVE-2025-64446 and NVD
  • Included in KEV-style workflows via CISA reporting on exploitation (CISA advisory).

3. Managed file transfer (MFT) mass exploitation

• Progress advisory for CVE-2023-34362 and NVD
• Fortra investigation summary for CVE-2023-0669 and NVD

4. Remote access gateways and VPN concentrators

• Ivanti Connect Secure examples: Ivanti advisory covering CVE-2024-21887 and NVD
• NCSC has also warned on exploitation of Ivanti vulnerabilities, reflecting persistent perimeter device exploitation pressure (NCSC Ivanti exploitation notice).

5. RMM and remote support tooling compromise

• ConnectWise ScreenConnect example: ConnectWise advisory for CVE-2024-1709 and NVD

6. NetScaler/remote access edge bugs impacting session security

• Citrix advisory for CVE-2025-5777 and NVD

7. Supply chain compromise risk patterns (non-CVE)

• Secure build and release governance is explicitly addressed in updated UK guidance (UK Software Security Code of Practice) and in 2026 threat landscape reporting (Group-IB HTCT 2026 announcement).

Further Reading

Vendor advisories

• Fortinet Advisory for CVE-2024-55591
• Fortinet Advisory for CVE-2025-64446
• Progress advisory for CVE-2023-34362
• Fortra investigation summary for CVE-2023-0669
• ConnectWise advisory for CVE-2024-1709

Government/CERT guidance (CISA KEV, NCSC, etc.)

• CISA Known Exploited Vulnerabilities catalogue
• CISA Hybrid Identity Solutions Guidance
• CISA #StopRansomware advisory on CL0P MOVEit exploitation
• NCSC guidance: Preventing lateral movement
• NCSC/NCA ransomware ecosystem white paper

CTI reporting (Unit 42, Microsoft, CrowdStrike, Group-IB, Sophos)

• Unit 42 2026 Global Incident Response Report overview
• CrowdStrike 2025 Global Threat Report findings
• Microsoft on Storm-0501 hybrid attacks
• Storm-0501 cloud-based shift
• Group-IB HTCT 2026 supply chain announcement
• Sophos on DragonForce targeting SimpleHelp RMM

Detection engineering resources

• MITRE ATT&CK Lateral Movement tactic
• SigmaHQ repository
• Splunk Security Content: Lateral Movement detections
• SpecterOps: BloodHound versus Ransomware
• Unit 42 on AzureHound misuse