Lateral Movement
Lateral movement refers to the techniques adversaries use to progressively move through a network after gaining initial access, escalating privileges and expanding their reach to access high-value systems and data.
Why Lateral Movement Matters
Initial compromise of a single endpoint rarely provides access to an organization's most valuable assets. Attackers must move laterally through the network — hopping from system to system — to reach domain controllers, databases, file servers, or cloud management consoles.
Common Techniques
Credential-Based
- Pass-the-Hash: Using stolen password hashes to authenticate without knowing the plaintext password
- Pass-the-Ticket: Reusing Kerberos tickets to access resources
- Credential Dumping: Extracting credentials from memory (Mimikatz, LSASS)
- Overpass-the-Hash: Using NTLM hash to obtain Kerberos tickets
Remote Access
- Remote Desktop Protocol (RDP): Connecting to remote systems
- PsExec/WMI: Executing commands on remote systems
- SSH: Secure shell access to Linux systems
- WinRM: Windows Remote Management for remote command execution
Exploitation
- Exploiting vulnerabilities in internal services
- Leveraging trusted relationships between systems
- Abusing legitimate administration tools (Living off the Land)
Detection Strategies
- Monitor for anomalous authentication patterns (unusual source systems, times, or accounts)
- Track privileged account usage across systems
- Alert on known lateral movement tool execution
- Monitor network traffic for unusual internal connections
- Implement network segmentation and microsegmentation
Mitigation
- Implement least-privilege access and credential hygiene
- Deploy network segmentation to limit movement paths
- Use privileged access management (PAM) solutions
- Enable comprehensive logging on all systems
- Implement multi-factor authentication for remote access
Related Terms
- Initial Access
- Credential Harvesting
- Privilege Escalation
