Lateral Movement · Learn

What is lateral movement?

Lateral movement is how an attacker spreads from the first machine they compromise to the rest of the network, hunting for the credentials and systems that lead to the real target. Here is the plain-language version: how it works, the common techniques, and how to detect it.

Lateral Movement · LearnAll services
TL;DR

Lateral movement is the phase where an attacker, having compromised one machine, moves across the network to other hosts to reach valuable systems and credentials. It usually combines stolen credentials (a password, an NTLM hash, or a Kerberos ticket) with a remote-execution method like SMB/PsExec, WMI, WinRM, or RDP. The goal is to repeat compromise host by host until reaching a Domain Controller or the target data. It is mostly built on legitimate administration tools, which is what makes it hard to spot.

By John Dill, Red Team Lead, SecureLayer7Updated

What lateral movement is

An attacker rarely lands on the machine that holds what they want. They get a foothold somewhere (a phished laptop, an exposed server) and then need to move sideways to other hosts: a file server, an admin’s workstation, eventually a Domain Controller.

Lateral movement is that sideways spread. Each hop reuses credentials harvested from the previous machine to authenticate to the next, gradually expanding control across the network.

How it works: credentials plus execution

Lateral movement almost always has two ingredients:

  • A credential: a cleartext password, an NTLM hash (used via Pass-the-Hash), or a Kerberos ticket (used via Pass-the-Ticket).
  • A remote-execution method: a way to run commands on the next machine, such as SMB/PsExec, WMI, WinRM, DCOM, or RDP.

The attacker dumps credentials on host A, reuses them to execute on host B, dumps host B for fresher credentials, and repeats. This is the engine that turns one compromise into a domain takeover.

The common techniques

The remote-execution methods each have their own page:

  • PsExec: runs commands via an SMB-created service, often as SYSTEM.
  • WMI: executes through Windows Management Instrumentation, no new service.
  • WinRM: PowerShell remoting over 5985/5986.
  • SMB and admin shares: C$/ADMIN$ for file copy and execution.
  • DCOM: execution through Distributed COM objects.
  • RDP hijacking: taking over an existing remote-desktop session.

How a pentest tests for it

A penetration test starts from a single foothold and tries to move across the network exactly as an intruder would, mapping which credentials unlock which hosts and how few hops it takes to reach a Domain Controller. The deliverable is the real path, with the specific credential reuse and execution method behind each hop and a fix for each one.

References

  1. [1]MITRE ATT&CK: Lateral Movement (TA0008)(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Microsoft: Administrative shares (C$, ADMIN$, IPC$)(Microsoft)
Related terms

Common questions

Lateral movement, asked often

Want your network tested for these paths?

Scope an engagement

Find the lateral-movement paths before an attacker does.

We run internal and network penetration tests that follow the real route from one compromised host across your network, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.