100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Lateral Movement

AdvancedTechnique9.9K learners

Lateral movement is the set of techniques an attacker uses to move through a network from an initially compromised system to other systems, in order to expand access, escalate privileges, and reach high-value targets such as data stores or…

Definition

Lateral movement is the set of techniques an attacker uses to move through a network from an initially compromised system to other systems, in order to expand access, escalate privileges, and reach high-value targets such as data stores or domain controllers.

Overview

Attackers rarely gain immediate access to their ultimate target through the initial point of compromise; the first foothold — often a low-privilege workstation reached via phishing — usually has limited value on its own. Lateral movement is the phase in which an attacker expands that foothold into broader network access, hopping from system to system while harvesting credentials, mapping the network, and identifying higher-value targets along the way. Common lateral movement techniques include using stolen or harvested credentials to log into other machines via remote administration protocols (such as RDP, SSH, or WinRM), exploiting trust relationships between systems, and abusing legitimate administrative tools already present on the network — a practice known as 'living off the land' — to blend malicious activity with normal IT operations and evade signature-based detection. Pass-the-hash and pass-the-ticket attacks let an attacker authenticate using stolen credential material without ever knowing the plaintext password, exploiting weaknesses in how Windows authentication protocols handle cached credentials. Because lateral movement necessarily generates network traffic and authentication events between systems, it is one of the highest-value stages for defenders to detect, even if the initial compromise was missed. Network segmentation limits how far an attacker can move by restricting which systems can communicate with each other in the first place. Endpoint detection and response (EDR) tools monitor for anomalous process behavior and unusual authentication patterns, while security teams look for indicators like a workstation suddenly authenticating to many other hosts, unusual use of administrative protocols outside of business hours, or the use of built-in remote execution tools by accounts that don't normally use them. Lateral movement typically continues until the attacker reaches privileged accounts (via privilege escalation) or systems holding the data they're after, at which point the intrusion progresses toward data exfiltration or, in ransomware attacks, toward encrypting as many systems as possible before detonation.

Key Concepts

  • Expands an attacker's foothold from one compromised host to others
  • Relies heavily on harvested or stolen credentials
  • Often abuses legitimate remote administration tools (living off the land)
  • Includes techniques like pass-the-hash and pass-the-ticket authentication abuse
  • Generates detectable network and authentication traffic between systems
  • Mitigated by network segmentation limiting inter-system communication
  • Detected via EDR monitoring for anomalous authentication and process behavior
  • Typically precedes privilege escalation and data exfiltration in an attack chain

Use Cases

Investigating how an attacker spread from an initial phishing victim to critical servers
Designing network segmentation to contain breaches to a limited zone
Tuning EDR and SIEM alerts for anomalous internal authentication patterns
Simulating attacker movement during red team exercises
Hunting for pass-the-hash and pass-the-ticket attacks in Windows environments
Assessing ransomware blast radius before full-network encryption occurs
Prioritizing detection engineering around high-value lateral movement paths

Frequently Asked Questions