Monthly vulnerability scanning: first month free! Learn more →
Hero

WE ARE

HACKIFY

Lateral movement

Lateral movement

July 6, 2026 · 6 min read · concepts

active-directory post-exploitation network

What is lateral movement?

Lateral movement is the collective term for the techniques an attacker uses, after the initial breach, to move from one system to another. This way they take control of more and more machines on the network. That first access almost never lands directly on the target. An attacker usually ends up on some random workstation, while the sensitive data, the domain admin accounts or the backup server sit somewhere else. Lateral movement is the phase in which they bridge that gap.

MITRE ATT&CK describes it as a separate tactic, Lateral Movement (TA0008). At its core, an attacker explores the network, obtains valid credentials and uses them to log in to remote systems and run commands. Often they pivot through several machines and accounts (using one hijacked machine as a stepping stone to the next) before reaching their actual target. It differs from privilege escalation. That is vertical, more rights on the same machine, whereas lateral movement is horizontal, with the same rights but on more and more machines. In practice the two keep alternating.

Lateral movement usually does not rely on exploits. An attacker who holds a valid username and its matching hash simply logs in over the normal Windows protocols. They use the infrastructure the way it was meant to be used, only with stolen keys. That is exactly why it is so hard to tell apart from legitimate administrator traffic.

How does lateral movement work?

Lateral movement almost always follows the same cycle. An attacker obtains credentials, picks a neighbouring system, authenticates to it and runs a command, and then harvests fresh credentials on that new system. This way they work step by step towards an account with more reach.

It all starts with credentials. On a workstation where an administrator is logged in, their credentials sit in LSASS memory, where tools like Mimikatz or NetExec pull them out. With a stolen NT hash an attacker does not even have to crack the password. Through Pass-the-Hash they log in with it as if they were that user. The Kerberos variants are called Overpass-the-Hash and Pass-the-Ticket, where a stolen Kerberos ticket serves as the proof.

With those credentials the attacker runs code remotely. MITRE groups this under Remote Services (T1021). The common channels on Windows are a handful of fixed protocols:

  • SMB and the admin shares (T1021.002), the classic PsExec approach, where a service is created on the target that starts the command.
  • WMI, which starts a process remotely without needing a new service.
  • WinRM and PowerShell Remoting (T1021.006), the management channel that is already open in many environments anyway.
  • RDP (T1021.001) for interactive access, or hijacking an existing RDP session.

On Linux and network devices the same thing runs over SSH. Besides this route via stolen credentials there is a harder variant, exploiting a vulnerability in a network service (Exploitation of Remote Services, T1210), the way EternalBlue did in 2017. In a well-maintained network that is less common than the simple reuse of credentials.

What can an attacker achieve with lateral movement?

Lateral movement is the link between one infected laptop and a fully compromised network. Without that step the damage stays limited to a single machine. With it, the whole domain eventually lies open.

The typical path in an Active Directory environment runs from an ordinary workstation to administrator rights on the domain controller. On the first machine the attacker grabs the hash of a logged-in administrator and uses it to log in to a second machine. There they harvest the credentials of everyone else who was logged in. They repeat that until they hold a domain admin account. From the domain controller they then read out all the password hashes of the domain, and the takeover is complete.

From that point the attacker decides what happens. Ransomware groups use lateral movement to roll out their encryption across hundreds of machines at once, often through the very management channels the IT department uses itself. Other attackers go straight for the systems that hold value, such as the financial records, the source code, the customer database or the backups. That is where the impact is greatest. Sometimes because an organisation grinds to a halt without those systems, sometimes because an attacker uses the captured data to extort or makes it public.

Lateral movement in a pentest

In an Active Directory pentest and a corporate network pentest, lateral movement is a central theme. We usually start with one set of credentials or one machine, and map out from there how far an attacker would get. BloodHound helps with that, because it draws the attack paths in Active Directory and shows which user reaches domain admin through which machines.

We do most of the practical work with NetExec, our default tool for trying credentials across an entire network and seeing where an account has local admin.

# Try a captured hash across a subnet; (Pwn3d!) means local admin
nxc smb 10.0.0.0/24 -u administrator -H 32ed87bdb5fdc5e9cba88547376818d4 --local-auth

# On every host where the hash works, pull the credentials straight from LSASS
nxc smb 10.0.0.0/24 -u administrator -H 32ed87bdb5fdc5e9cba88547376818d4 --local-auth -M lsassy

Wherever we find admin, we read out the memory there again and grab the next set of credentials. If you prefer separate tools, psexec.py and wmiexec.py from Impacket do the same job.

Only run this kind of test on systems for which you have explicit, written permission. Without that permission it is a criminal offense.

Preventing lateral movement

You cannot make lateral movement impossible, because it abuses the normal workings of your network. The chain can be broken in several places, though, and one good measure is often worth more than ten half-measures:

  • Network segmentation limits which systems an infected machine can talk to at all. If a workstation can only reach the servers it genuinely needs, there is little to jump to from there.
  • A tiering model keeps privileged accounts away from ordinary workstations. If a domain admin never logs in to a laptop, their hash never ends up in the memory of a machine an attacker gets to first.
  • LAPS gives every machine a unique local admin password. One cracked machine then gives no access to the next, because that same local hash does not work there.
  • Restricting NTLM and enforcing SMB signing remove the protocols that Pass-the-Hash and relay attacks lean on. Credential Guard additionally isolates the hashes and tickets so they cannot simply be pulled from LSASS.
  • Monitoring catches what prevention leaves behind. An EDR or SIEM that watches traffic between workstations, new services over SMB and unusual WinRM sessions sees the chain where a single event still looks innocent.

In the end it comes down to least privilege. The fewer places where valuable credentials lie around, and the fewer machines that are allowed to talk to each other, the shorter an attacker can move laterally.

Frequently asked questions about lateral movement

What is the difference between lateral movement and privilege escalation?

Lateral movement is horizontal, with the same rights but on more and more machines. Privilege escalation is vertical, with more rights on a single machine. In a real attack the two alternate. An attacker escalates to local admin on a workstation, uses that to steal credentials, moves laterally to the next machine, and escalates again there.

Which tools do attackers use for lateral movement?

Usually not exotic malware, but ordinary administration tools. NetExec, Impacket (psexec.py, wmiexec.py) and PowerShell Remoting run commands remotely, Mimikatz and Lsassy pull credentials from memory, and BloodHound maps the shortest route to domain admin in advance. Because these are partly the same tools administrators use themselves, the traffic is hard to tell apart from legitimate management.

Does network segmentation stop lateral movement?

Segmentation does not stop it entirely, but it makes it a lot harder. It decides which systems an infected machine is allowed to talk to. If a workstation can only reach the few servers it needs, an attacker who lands on it has few neighbours to jump to. Segmentation works best together with a tiering model and LAPS, so that a stolen hash does not fit everywhere even within a segment.

How do you detect lateral movement?

Watch east-west traffic, meaning connections between workstations that are not normally there. An EDR or SIEM sees new services created over SMB (the classic PsExec method), unusual WinRM or WMI sessions, and accounts logging in at unusual times or on unusual machines. A single event often looks innocent; the sequence gives the attack away.

Related articles