Our Security Wiki.
Knowledge is power.

Lateral Movement

Lateral Movement

What is Lateral Movement?

Lateral movement in cybersecurity refers to the technique used by attackers or malicious actors to move horizontally across a network once they have gained initial access to a single system. It involves exploiting vulnerabilities, using stolen credentials, or employing various methods to pivot from one compromised system to another within the same network, aiming to gain more control, access sensitive information, and eventually reach their ultimate target.

Lateral movement can take various forms, including:

1. Credential Theft and Pass-the-Hash: Attackers might steal usernames and passwords from one compromised system and use them to authenticate and gain access to other systems within the network. Techniques like pass-the-hash involve using the hashed password to bypass authentication.

2. Exploiting Vulnerabilities: Attackers may exploit software vulnerabilities on one system to gain access and then use that compromised system as a foothold to exploit other systems with similar vulnerabilities.

3. Remote Desktop Protocol (RDP) Exploitation: If Remote Desktop Protocol is enabled and poorly configured, attackers can use it to remotely access systems and move laterally across the network.

4. Lateral Movement Tools: Attackers can use tools that allow remote control or administration of systems, such as PowerShell, PsExec, or Windows Management Instrumentation (WMI), to move from one system to another.

5. Pass-the-Ticket: Similar to pass-the-hash, this involves using Kerberos tickets obtained from one compromised system to authenticate and access other systems.

6. Brute Force Attacks: Attackers might attempt to guess passwords or use automated tools to systematically try different combinations until they find a valid one, allowing them to gain access to other systems.

7. Malware Propagation: Malicious software can be used to spread across a network, exploiting vulnerabilities or using techniques like lateral movement to infect other systems.

The goal of lateral movement is to increase the attacker’s control over the network, escalate privileges, and potentially gain access to valuable data or critical systems. Detecting and preventing lateral movement is crucial for effective cybersecurity. This involves implementing strong access controls, network segmentation, monitoring for suspicious activities, and keeping systems and software up-to-date with the latest security patches.

Just-in-time access permission management


  • What are common methods attackers use for lateral movement?

    Attackers may use various methods, including exploiting vulnerabilities, brute-force attacks, stolen credentials and malware, to move laterally within a network. Techniques like pass-the-hash, pass-the-ticket, and credential theft are also common.



  • Why is lateral movement a significant security concern?

    Lateral movement can allow attackers to evade detection and gain access to sensitive resources or data deeper within the network. It often preceded data exfiltration, data encryption (in ransomware attacks) or other malicious actions.

  • What are some indicators of lateral movement in a network?

    Indicators of lateral movement may include unusual or suspicious account activity, unauthorized access attempts, privileges

  • How can organizations detect and prevent lateral movement?

    Organizations can use a combination of measures, such as network segmentation, intrusion detection systems (IDS), endpoint detection and response (EDR) solutions, user and entity behavior analytics (UEBA), and strong access controls to detect and prevent lateral movement.