Infrastructure attacks involving lateral movement are identified by monitoring system level activities using software agents deployed on respective operating systems, and constructing, based on the system level activities, an execution graph comprising execution trails. A logon session between a remote connection client executing on a first operating system and a remote connection server executing on a second operating system is identified. Behavior exhibited from the logon session is attributed to a first global execution trail in the execution graph. A reconnection to the logon session between a remote connection client executing on a third operating system and the remote connection server is then identified, and, thereafter, behavior exhibited from the logon session is attributed to a second global execution trail in the execution graph.