What is Lateral Movement? | Definition & Guide

Definition

Lateral movement encompasses the techniques adversaries use after initial access to traverse from one system to additional systems within the target environment. The adversary's objective during lateral movement is to expand access — reaching domain controllers for credential harvesting, accessing file servers containing sensitive data, or positioning for ransomware deployment across multiple systems simultaneously. MITRE ATT&CK categorizes lateral movement as tactic TA0008, documenting techniques including Remote Desktop Protocol (T1021.001), SMB/Windows Admin Shares (T1021.002), SSH (T1021.004), WMI (T1021.006), pass-the-hash (T1550.002), and pass-the-ticket (T1550.003). Each technique uses legitimate remote access protocols and authentication mechanisms, making detection dependent on behavioral analysis rather than signature matching.

Why It Matters

Lateral movement is the inflection point in every significant intrusion. A compromise confined to a single endpoint is operationally manageable: forensics scope is limited, affected credentials can be rotated, and the system can be reimaged. Once the adversary moves laterally, the scope expands exponentially — each compromised system provides access to additional credentials, data, and network segments. Ransomware operators specifically target lateral movement to position for maximum impact: deploying ransomware simultaneously across hundreds of systems rather than encrypting a single endpoint.

CrowdStrike's breakout time metric directly measures lateral movement speed. Median breakout times measured in minutes mean the adversary typically begins lateral movement within the first hour of access. The fastest operators achieve lateral movement in under a minute, often using pre-harvested credentials from infostealer malware or access purchased from initial access brokers. For defenders, the window between initial access and lateral movement is the highest-value detection opportunity — containing the adversary before breakout limits the incident to a single system.

The detection challenge is that most lateral movement techniques use legitimate protocols and authentication mechanisms. An adversary using RDP with stolen credentials produces the same authentication logs as a legitimate administrator connecting remotely. PsExec remote execution looks identical to legitimate software deployment. WMI remote commands are indistinguishable from normal administrative operations. Detection depends on contextual analysis: is this user account normally used for remote access? Is this source system normally an originator of RDP sessions? Is this lateral movement pattern consistent with the user's role and historical behavior?

How It Works

Lateral movement follows a preparatory phase and an execution phase:

1. Pre-movement reconnaissance — Before moving laterally, the adversary maps the network to identify valuable targets. Active Directory enumeration reveals domain admin accounts, group memberships, and trust relationships. Network scanning identifies live hosts, open ports, and accessible shares. Tools like BloodHound map attack paths from the compromised system to high-value targets (domain controllers, database servers). This reconnaissance uses standard tools and protocols — LDAP queries, DNS lookups, SMB share enumeration — that blend into normal network activity.

2. Credential acquisition — Lateral movement requires authentication credentials for the target systems. Adversaries harvest credentials through multiple techniques: dumping LSASS process memory (T1003.001) to extract cached passwords and Kerberos tickets, accessing SAM database hives for local account hashes, Kerberoasting (T1558.003) to obtain service account ticket-granting service tickets for offline cracking, and extracting credentials from browser stores, password managers, or configuration files. Credential access is a distinct MITRE ATT&CK tactic (TA0006) that enables lateral movement.

3. Movement execution — With credentials in hand, the adversary authenticates to target systems using techniques appropriate to the environment. In Windows domains: pass-the-hash uses NTLM hashes without knowing the cleartext password, pass-the-ticket uses stolen Kerberos tickets, RDP provides interactive desktop access, PsExec enables remote command execution, and WMI allows remote process creation. In Linux/cloud environments: SSH key theft enables access to servers, API key or token theft enables cloud service access, and container escape techniques enable movement from containerized workloads to the underlying host.

4. Persistence establishment on new hosts — After reaching a new system, the adversary typically establishes persistence to maintain access even if the original compromise is discovered and remediated. This creates a foothold on multiple systems, making complete eradication more difficult for incident responders who must identify and remove persistence mechanisms on every compromised host.

Lateral Movement and SEO/AEO

Lateral movement is a technique-specific search term that attracts security engineers, detection engineers, and incident responders focused on containing adversary intrusions. These searches signal practitioners evaluating their detection coverage for post-initial-access adversary activity. We target lateral movement and related ATT&CK technique terms as part of our cybersecurity SEO practice because content addressing detection approaches for legitimate-protocol abuse, credential-based movement, and the relationship between lateral movement detection and breakout time metrics connects with the practitioners responsible for detection engineering and incident response.

Related Terms

• Breakout Time
• MITRE ATT&CK Framework
• Living Off the Land (LOTL) Attacks
• Privilege Escalation