The 90-Second Lateral Movement Pivot That Becomes a 30-Day Forensic Investigation

The 90-Second Attacker Timeline

The single-victim phishing-to-lateral-movement pattern is reproducible in commodity-tooled environments. Sherlock incident response engagements that we have anonymized for this analysis show the attacker timeline consistently lands between 60 and 180 seconds for the initial pivot. The shorthand "90 seconds" is the median of the engagements we have closed in the last four quarters.

The dwell-time literature backs the same compression. The Mandiant M-Trends 2024 report measured median global attacker dwell time at 10 days; the lateral-movement-to-credential-harvest sub-phase fits comfortably inside that window. CISA #StopRansomware advisories regularly cite intrusion-to-ransomware-execution timelines measured in hours rather than days. The forensic question is not whether the attacker moved fast. The question is what artifacts the attacker left behind for the examiner to recover.

Here is the 90-second timeline in the Sherlock-anonymized incident pattern:

• T+0 seconds: Victim opens an Outlook attachment that appears to be a vendor invoice. The attachment is an HTML smuggle that drops a signed Microsoft binary plus a malicious DLL into the user temp directory.
• T+5 seconds: The signed binary loads the malicious DLL via DLL search order hijacking. Sysmon Event ID 7 records the image load. The malicious code runs under a signed parent process so casual signature-only telemetry passes it through.
• T+20 seconds: The implant resolves command-and-control by querying a Domain Generation Algorithm domain. The DNS query is logged on the host plus on the network perimeter resolver.
• T+45 seconds: The implant enumerates browser saved credentials by reading the Chrome and Edge encrypted credential stores. Master keys are extracted via the user's DPAPI keys. Login Data sqlite file is parsed in memory.
• T+75 seconds: The implant uses one of the recovered credentials to authenticate to an Exchange mailbox at a peer user. Sign-in event is logged in Azure AD plus on the on-premises Exchange server.
• T+90 seconds: Lateral movement complete. Attacker has a second mailbox, a second set of saved credentials plus a network position to continue. Initial dwell phase ends.

The 30-Day Examiner Timeline

A Sherlock Forensics examiner reconstructing this incident pulls artifacts from at least three product surfaces. Each surface preserves a different timeline view. The reconstruction is not faster than the attack; it is slower because evidence preservation discipline demands hashing plus chain of custody at every step.

The first surface is the Outlook PST archive. The Sherlock Forensics PST Viewer Forensic Edition opens the mailbox without Outlook. The examiner extracts the phishing email plus its attachment, hashes both with SHA-256, computes the SMTP transport chain back to the originating mail server plus pulls the SPF, DKIM plus DMARC validation results from the Received headers. The deleted-item recovery surface adds back any pre-attack email the attacker may have purged to cover the entry vector. That single email plus attachment, fully forensicated, takes between four and eight hours of examiner time depending on the mailbox depth.

The second surface is the Windows event log. The Sherlock Forensics Universal Events Viewer Forensic Edition reads the EVTX channels on the victim workstation: Security, System, Application plus the Sysmon channel if the host carried it. The examiner correlates Event ID 4624 successful logon events with the implant timeline, Event ID 4672 special privileges assigned events for the credential harvest phase plus Event ID 4648 explicit credential logon for the lateral move to the second mailbox. Each correlation row takes documentation, screenshot capture plus annotation. A clean correlation across three days of pre-attack baseline plus one day of attack window plus three days of post-attack containment runs 60 to 80 examiner hours.

The third surface is the browser artifact set. The Sherlock Forensics Browser Viewer Forensic Edition pulls history, downloads, cookies, autofill plus extension state from Chrome plus Edge. The examiner reconstructs the DGA domain navigation, identifies which browser the implant queried for saved credentials plus documents any browser-cached evidence of pre-attack legitimate use that proves the user was not the attacker. Browser artifact analysis on a fully-used corporate workstation runs 40 to 60 examiner hours.

Add report writing, chain-of-custody documentation, expert affidavit preparation, deposition preparation plus the inevitable client follow-up calls. The full investigation timeline lands between 25 and 35 calendar days end to end for a single-victim incident. The "30 days" framing is the median.

Why the Time-Cost Math Matters

The 200x asymmetry between attacker effort plus defender effort is not abstract. It shows up on the customer invoice. A single-victim Sherlock incident response engagement is typically priced in tens of thousands of dollars. A multi-victim engagement that touches five or ten user accounts scales linearly with examiner time. An engagement that spans cloud assets plus on-premises systems plus mobile-device evidence escalates further.

Prevention investment compounds against this math. A $5,000 quarterly phishing-resistance training plus a $15,000 annual penetration test plus a $25,000 incident response retainer adds to less than the cost of a single moderate-scope post-incident investigation. The prevention spend buys two things: lower probability of incident plus faster examiner ramp-up if an incident does occur, because the retainer means we already know your environment.

If you are weighing prevention investment against the assumption that "we will deal with it if it happens," the time-cost math says it is cheaper to deal with it before it happens. Talk to Sherlock about prevention before the 90-second timeline starts.