July 6, 2026 · 6 min read · concepts
Lateral movement is the collective term for the techniques an attacker uses, after the initial breach, to move from one system to another. This way they take control of more and more machines on the network. That first access almost never lands directly on the target. An attacker usually ends up on some random workstation, while the sensitive data, the domain admin accounts or the backup server sit somewhere else. Lateral movement is the phase in which they bridge that gap.
MITRE ATT&CK describes it as a separate tactic, Lateral Movement (TA0008). At its core, an attacker explores the network, obtains valid credentials and uses them to log in to remote systems and run commands. Often they pivot through several machines and accounts (using one hijacked machine as a stepping stone to the next) before reaching their actual target. It differs from privilege escalation. That is vertical, more rights on the same machine, whereas lateral movement is horizontal, with the same rights but on more and more machines. In practice the two keep alternating.
Lateral movement usually does not rely on exploits. An attacker who holds a valid username and its matching hash simply logs in over the normal Windows protocols. They use the infrastructure the way it was meant to be used, only with stolen keys. That is exactly why it is so hard to tell apart from legitimate administrator traffic.
Lateral movement almost always follows the same cycle. An attacker obtains credentials, picks a neighbouring system, authenticates to it and runs a command, and then harvests fresh credentials on that new system. This way they work step by step towards an account with more reach.
It all starts with credentials. On a workstation where an administrator is logged in, their credentials sit in LSASS memory, where tools like Mimikatz or NetExec pull them out. With a stolen NT hash an attacker does not even have to crack the password. Through Pass-the-Hash they log in with it as if they were that user. The Kerberos variants are called Overpass-the-Hash and Pass-the-Ticket, where a stolen Kerberos ticket serves as the proof.
With those credentials the attacker runs code remotely. MITRE groups this under Remote Services (T1021). The common channels on Windows are a handful of fixed protocols:
On Linux and network devices the same thing runs over SSH. Besides this route via stolen credentials there is a harder variant, exploiting a vulnerability in a network service (Exploitation of Remote Services, T1210), the way EternalBlue did in 2017. In a well-maintained network that is less common than the simple reuse of credentials.
Lateral movement is the link between one infected laptop and a fully compromised network. Without that step the damage stays limited to a single machine. With it, the whole domain eventually lies open.
The typical path in an Active Directory environment runs from an ordinary workstation to administrator rights on the domain controller. On the first machine the attacker grabs the hash of a logged-in administrator and uses it to log in to a second machine. There they harvest the credentials of everyone else who was logged in. They repeat that until they hold a domain admin account. From the domain controller they then read out all the password hashes of the domain, and the takeover is complete.
From that point the attacker decides what happens. Ransomware groups use lateral movement to roll out their encryption across hundreds of machines at once, often through the very management channels the IT department uses itself. Other attackers go straight for the systems that hold value, such as the financial records, the source code, the customer database or the backups. That is where the impact is greatest. Sometimes because an organisation grinds to a halt without those systems, sometimes because an attacker uses the captured data to extort or makes it public.
In an Active Directory pentest and a corporate network pentest, lateral movement is a central theme. We usually start with one set of credentials or one machine, and map out from there how far an attacker would get. BloodHound helps with that, because it draws the attack paths in Active Directory and shows which user reaches domain admin through which machines.
We do most of the practical work with NetExec, our default tool for trying credentials across an entire network and seeing where an account has local admin.
# Try a captured hash across a subnet; (Pwn3d!) means local admin
nxc smb 10.0.0.0/24 -u administrator -H 32ed87bdb5fdc5e9cba88547376818d4 --local-auth
# On every host where the hash works, pull the credentials straight from LSASS
nxc smb 10.0.0.0/24 -u administrator -H 32ed87bdb5fdc5e9cba88547376818d4 --local-auth -M lsassy
Wherever we find admin, we read out the memory there again and grab the next set of credentials. If you prefer separate tools, psexec.py and wmiexec.py from Impacket do the same job.
Only run this kind of test on systems for which you have explicit, written permission. Without that permission it is a criminal offense.
You cannot make lateral movement impossible, because it abuses the normal workings of your network. The chain can be broken in several places, though, and one good measure is often worth more than ten half-measures:
In the end it comes down to least privilege. The fewer places where valuable credentials lie around, and the fewer machines that are allowed to talk to each other, the shorter an attacker can move laterally.
NetExec (successor to CrackMapExec) is a multi-protocol tool for testing credentials, shares and users across a Windows network.
Kerberos is the authentication protocol of Active Directory, based on tickets and a central KDC. We show how it works and where attackers abuse it.
Pass-the-Hash lets attackers log in with a stolen NT hash without knowing the password. We show the risk in your AD network.