Lateral movement is a part of the kill chain. After an attack has taken place, which allows entry into a company’s internal environment, lateral movement is the process of elevating credentials and gaining access to additional internal systems. This document describes a package of content that contains a set of rules to monitor Windows systems for lateral movement.