Lateral Movement

What is Lateral Movement?

Lateral movement is the attack phase in which an attacker, having gained initial access to one system in a network, moves to other systems in search of higher-value assets - privileged accounts, database servers, domain controllers, financial systems or confidential data.

Lateral movement techniques include using stolen credentials (pass-the-hash, pass-the-ticket, Kerberoasting), abusing administrative tools (PsExec, WMI, RDP, SSH), exploiting vulnerabilities in network services, leveraging trust relationships between systems and abusing service account privileges.

In the MITRE ATT&CK model, lateral movement is a separate tactic (TA0008) with many documented techniques. In the Cyber Kill Chain model, it corresponds to the phase between initial compromise and final objective execution. In OT environments, lateral movement is particularly dangerous when the attacker moves from the IT network to the industrial network.

Why does it matter?

Lateral movement is the phase where an attack escalates from a single workstation compromise to a threat to the entire organisation. Effective network segmentation, the principle of least privilege, east-west traffic monitoring and PAM deployment are key measures limiting the possibility of lateral movement. Detecting lateral movement requires behaviour analysis (UEBA) and event correlation from multiple sources.

Related topics

• APT
• Living off the Land
• MITRE ATT&CK