Continue your mission
Lateral movement is the set of techniques an attacker uses to move from an initially compromised system to other systems within the network, expanding access toward higher-value targets: domain controllers, database servers, file shares, backup infrastructure, and any other system that contains the
# Lateral Movement Techniques
Lateral movement is the set of techniques an attacker uses to move from an initially compromised system to other systems within the network, expanding access toward higher-value targets: domain controllers, database servers, file shares, backup infrastructure, and any other system that contains the data or controls the attacker needs to achieve their objective. In MITRE ATT&CK, Lateral Movement is the tenth tactic (TA0008) with nine techniques and multiple sub-techniques.
Lateral movement is the attack phase that transforms a single compromised endpoint into a network-wide compromise. Initial access provides a foothold on one system. Privilege escalation provides elevated permissions on that system. Lateral movement provides access to other systems. Without lateral movement, the attacker is contained to one endpoint with access to one user's data. With lateral movement, the attacker traverses the network to reach domain controllers (for full domain control), database servers (for data theft), backup systems (for destruction before ransomware deployment), and every other target of value.
Detection and prevention of lateral movement is one of the most consequential security investments an organization can make. An attacker who is detected and contained during lateral movement causes limited damage (one or a few compromised systems). An attacker who completes lateral movement undetected causes maximum damage (domain-wide ransomware, mass data exfiltration, persistent access to the entire environment).
Windows enterprise environments are the primary lateral movement theater because Active Directory provides centralized authentication that enables credential-based movement between domain-joined systems.
PsExec and SMB-based execution. PsExec (a Sysinternals tool) executes commands on remote systems using SMB (Server Message Block) file sharing and the Windows Service Control Manager. The attacker copies a service binary to the target system's ADMIN$ share, creates a remote service that executes the binary, and receives the output. PsExec requires administrative credentials on the target system and SMB access (port 445).
PsExec is a legitimate system administration tool, which makes detection challenging. The difference between an administrator using PsExec for troubleshooting and an attacker using it for lateral movement is intent, not technique. Detection relies on context: PsExec execution from a workstation that has never used PsExec before, at an unusual time, targeting a system the source has never connected to, is anomalous.
Adversary variants: Impacket's smbexec and wmiexec provide PsExec-like functionality without dropping a binary to disk, reducing forensic artifacts. CrackMapExec (NetExec) automates credential-based lateral movement across entire network segments.
Windows Management Instrumentation (WMI). WMI enables remote command execution through the WMI service (port 135 plus dynamic RPC ports). WMI process creation (Win32_Process.Create) executes arbitrary commands on the remote system. WMI is a native Windows capability that does not require additional tools, making it a preferred living-off-the-land technique.
Detection: monitor WMI process creation events (Windows Event ID 4688 with command-line logging, Sysmon Event ID 1) for WMI-initiated processes on remote systems. WMI execution from workstations to servers (rather than from management tools to managed endpoints) is anomalous.
Remote Desktop Protocol (RDP). RDP provides interactive remote access to the graphical desktop of a Windows system. An attacker with valid credentials (stolen or escalated) can RDP to any system where RDP is enabled and the credentials have access. RDP provides the attacker with a full interactive session: they can browse files, open applications, run commands, and interact with the system as if physically present.
Detection: monitor RDP logon events (Windows Event ID 4624 with logon type 10). RDP connections from unexpected sources (a workstation RDP-ing to a domain controller), at unexpected times, or from user accounts that do not normally use RDP are anomalous. Network-level detection: monitor for RDP traffic (port 3389) between systems that should not have RDP connectivity.
Pass-the-Hash (PtH). The attacker uses a stolen NTLM password hash (obtained from LSASS memory dumping) to authenticate to a remote system without knowing the plaintext password. NTLM authentication accepts the hash directly, so possessing the hash is equivalent to possessing the password for authentication purposes.
Pass-the-hash is the technique that makes credential dumping so dangerous: stealing one administrator's NTLM hash from one compromised system provides administrative access to every system where that administrator's credentials are valid.
Defense: Credential Guard (prevents NTLM hash caching in extractable form), disable NTLM authentication where possible (enforce Kerberos), restrict administrative credential exposure to the appropriate tier (tier model), and implement PAM (eliminate standing administrative accounts).
Pass-the-Ticket (PtT). The attacker uses a stolen Kerberos ticket (Ticket Granting Ticket or service ticket, obtained from LSASS memory) to authenticate to remote services without the password or hash. Pass-the-ticket is the Kerberos equivalent of pass-the-hash.
Golden Ticket: a forged TGT created using the stolen KRBTGT hash. A Golden Ticket provides unrestricted access to any service in the domain for the ticket's lifetime (which the attacker sets, often 10 years). Golden Tickets persist through password resets (except KRBTGT rotation) and are extremely difficult to detect.
Silver Ticket: a forged service ticket created using a stolen service account hash. Silver Tickets provide access to the specific service without contacting the domain controller (making them harder to detect than Golden Tickets because no TGT request is logged).
Defense: rotate the KRBTGT password regularly (twice, since AD retains the previous hash). Monitor for anomalous Kerberos ticket characteristics (unusually long lifetimes, tickets for non-existent users, tickets requested without corresponding TGT requests).
PowerShell Remoting (WinRM). PowerShell Remoting over WinRM (Windows Remote Management, port 5985/5986) enables remote command execution with full PowerShell capability. Invoke-Command and Enter-PSSession provide remote PowerShell execution that is logged but often permitted by firewall rules because it is a standard administrative protocol.
Detection: monitor WinRM connections (Event ID 4624 logon type 3 with WinRM session creation events). PowerShell Remoting from non-administrative workstations to servers, particularly from systems that have never initiated WinRM connections before, is anomalous.
SSH. SSH is the primary lateral movement mechanism in Linux environments. An attacker with stolen SSH credentials (passwords or private keys) can authenticate to any Linux system where the credentials are valid. SSH keys found on a compromised system (in ~/.ssh/) may provide access to other systems without additional credential theft.
Detection: monitor SSH authentication logs (/var/log/auth.log, /var/log/secure) for logins from unexpected sources, unexpected users, or at unexpected times.
Credential reuse. Linux environments often share credentials across systems: the same root password, the same SSH key, the same service account password deployed to multiple servers for convenience. Compromising one system's credentials provides access to every system sharing those credentials.
Defense: unique SSH keys per system, centralized SSH key management, certificate-based SSH authentication, and prohibition of shared root passwords (use individual named accounts with sudo).
OAuth token theft. In cloud environments, lateral movement often occurs through stolen OAuth tokens or session cookies rather than network-based techniques. An attacker who steals an OAuth access token from a compromised endpoint can use that token to access cloud applications (email, file storage, collaboration platforms) from any location without re-authenticating.
Cloud IAM manipulation. An attacker who gains access to a cloud identity with IAM permissions can create new roles, modify existing policies, or assume roles in other accounts (cross-account role assumption in AWS). Cloud IAM manipulation enables lateral movement across cloud accounts and services without traditional network-based movement.
Detection: monitor cloud audit logs (CloudTrail, Azure Activity Log) for role creation, policy modification, and cross-account role assumption from unexpected sources.
Lateral movement is the phase that determines the scope of the eventual impact. An attacker contained to one system causes limited damage. An attacker who traverses the network to reach domain controllers, backup systems, and database servers causes maximum damage. Every ransomware deployment at scale requires lateral movement: the attacker must reach every system they intend to encrypt.
Detecting lateral movement provides the last reliable opportunity to contain the attack before catastrophic impact. After the attacker achieves domain-level access and begins encryption or exfiltration, containment options narrow rapidly.
Network segmentation directly restricts lateral movement by controlling which systems can communicate with which other systems. In a flat (unsegmented) network, the attacker can reach every system from any compromised endpoint. In a segmented network, the attacker can only reach systems within the same segment unless they can traverse the enforcement boundary (firewall, ACL) between segments.
Each segment boundary is both a restriction (the attacker cannot cross it without authorized credentials) and a detection opportunity (the crossing attempt generates firewall logs, authentication events, and network telemetry). Well-segmented networks create a series of chokepoints that slow the attacker and generate detection artifacts at each step.
Lateral movement techniques generate detectable artifacts across multiple log sources. SIEM detection rules for lateral movement are among the highest-value rules in any detection engineering program:
SMB lateral tool transfer (T1570): file copy operations to ADMIN$ or C$ shares from unexpected sources. Remote service creation (T1569.002): new service creation on remote systems via SCM. WMI execution (T1047): remote process creation via WMI from non-management systems. RDP connections (T1021.001): RDP from workstations to servers or between servers. Pass-the-hash authentication (T1550.002): NTLM authentication events with pass-the-hash indicators (LogonType 9, seclogo logon process). Anomalous Kerberos activity (T1550.003): ticket requests with unusual characteristics.
CDA's TID-H01 (Detection Engineering Program, 32 hours) includes lateral movement detection as a priority category because lateral movement techniques generate consistent, detectable artifacts that provide the last opportunity to contain an attack before domain-level compromise.
Lateral movement sits at the intersection of TID (detection) and SPH/IAT (prevention) in the Planetary Defense Model. TID detects lateral movement through SIEM correlation rules, behavioral analytics (anomalous authentication patterns, unusual system-to-system connections), and threat hunting (searching for evidence of credential-based movement that automated detection missed). SPH prevents lateral movement through network segmentation (restricting which systems can communicate) and endpoint hardening (host-based firewalls, credential protection). IAT prevents lateral movement through credential controls (PAM, Credential Guard, tier model enforcement) that eliminate the stolen credentials lateral movement depends on.
The terrain metaphor: lateral movement is the attacker's advance across the defended terrain. In a flat, open terrain (flat network, shared credentials, no segmentation), the advance is rapid and undetected. In fortified terrain (segmented network, unique credentials per system, detection at every boundary), the advance is slow, noisy, and containable. CDA's SPH operations fortify the terrain. CDA's TID operations detect the advance. Together, they create the defensive depth that converts a single compromised endpoint into a detected, contained incident rather than a domain-wide catastrophe.
Three TOP missions address lateral movement:
Word count: 1,978
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.