pass-the-hash, pass-the-ticket (Kerberos), use of legitimate administrative tools (BloodHound, Mimikatz, PsExec), exploitation of Trust Relationships, access to shared SMB/NFS resources.
What is lateral movement
Attack technique whereby an adversary who has gained initial access to the corporate network moves internally in search of valuable data, critical systems, or administrative access.
Why it matters
Lateral movement is critical because: Extends potential damage: initial compromise of a workstation can escalate to critical servers within minutes. Bypasses perimeter controls: edge firewalls protect against external threats, but not internal traffic; the attacker is already "inside". Enables high-value data discovery: access to databases, financial data stores, research and development systems. Facilitates prolonged persistence: attackers can establish multiple redundant access points (backdoors) across the internal network. Increases detection time: gradual, stealthy lateral movement can go undetected for weeks or months. Impacts compliance SLAs: network segmentation and lateral movement detection are requirements in ISO 27001, NIS2, and DORA.
Key points
initial access (weak credentials) → privilege escalation (local CVE) → lateral movement (admin credentials) → access to critical data.
dividing the internal network into zones with traffic restrictions (VLAN, microsegmentation) slows and complicates lateral movement.
PowerShell, WinRM, SSH, RDP are normal services that don't trigger "malware" alerts; EDR must detect anomalous usage.
failed authentication attempts, permission changes, unusual connections between systems; centralised SIEM and logs are essential.
requirement for continuous authentication and authorisation for each resource access, even within the network.
Real-world example
A marketing employee clicks a phishing email that deploys a backdoor on their laptop. The attacker gains remote access. From there, they scan the internal network and discover an exposed database server without internal firewall protection. They use internal tools (RDP) to connect. The employee's credentials don't work on the database server, but they find a password saved in a script on the PC. With database server access, the attacker discovers another machine (accounting server) connected to the same subnet. They perform pass-the-hash using a captured Kerberos hash, gain access. From there, they access a central file server where financial reports and customer data reside. They exfiltrate 500 MB of data over several days without detection. The incident is discovered when a backup fails due to insufficient space.
Common mistakes
- once inside, all internal traffic is permitted; the attacker moves freely.
- failed access attempts across 10 different systems are never correlated in a SIEM.
- standard users or non-critical servers should not have permissions to access databases or sensitive servers.
- traffic between departments is unrestricted; compromise in marketing can directly access accounting.
- administrative credentials saved in spreadsheets or internal wikis facilitate lateral movement.
- EDR detects malware but not anomalous behaviour of legitimate tools; network correlation is needed.
Frequently asked questions
What is the difference between lateral movement and privilege escalation?
Privilege escalation is moving from standard user to administrator on the SAME system. Lateral movement is accessing OTHER systems or services. Both often occur together: first you escalate privileges on your compromised machine, then you use those privileges to move laterally to other systems.
How does a SIEM detect lateral movement?
By correlating failed authentication events across multiple systems, permission changes, unusual connections between servers, use of administrative tools (RDP, PSExec) by non-admin users, and behaviour analysis (3 AM logins from suspicious internal IPs). The SIEM needs centralised data from multiple sources.
Does network segmentation completely prevent lateral movement?
It doesn't prevent it completely, but it significantly slows it down and makes it much harder. If your network is divided into 5 segregated zones with internal firewalls, the attacker must escalate privileges 5 times instead of once. It's an additional layer of defence; this is why Zero Trust and microsegmentation are best practice.
What is "pass-the-hash" and how does it work in lateral movement?
It's a technique where the attacker captures a password hash (not the plaintext password) from one user and uses it directly to authenticate to another system without needing to crack the password. In Windows, this is especially possible with NTLM and Kerberos. Mitigation includes MFA, hash salting, and restricting credential reuse.