TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Attacks

What Is Lateral Movement? How Attackers Move Through a Network

After breaking in, attackers rarely stay put. Lateral movement is how they quietly hop from one system to the next, hunting for the data and access that's actually their goal. Here's how to catch it.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Lateral movement refers to the techniques attackers use to progressively move through a network — from the system they first compromised to other systems — in pursuit of their ultimate objective. The initial foothold is rarely where the valuable data lives. So after breaking in, an attacker explores the environment, harvests credentials, and hops from machine to machine, expanding their control and inching toward the "crown jewels": domain controllers, databases, file servers, or sensitive intellectual property.

In short: lateral movement is the attacker quietly walking through your hallways after slipping in a side door. The break-in is just the beginning — lateral movement is how a single compromised laptop becomes a network-wide breach.

Where lateral movement fits in an attack

Lateral movement is a core post-compromise phase. It generally follows initial access and privilege escalation, and it works hand in hand with command and control as the attacker directs their spread. In the MITRE ATT&CK framework, Lateral Movement is a dedicated tactic; in the cyber kill chain, it's part of the internal activity that the original model compresses into its later stages. It's also one of the main reasons attackers can dwell in a network for weeks or months before being detected.

How lateral movement works

A typical lateral-movement cycle repeats three steps:

  1. Internal reconnaissance. The attacker maps the network — identifying other hosts, services, accounts, and where valuable data lives.
  2. Credential gathering. They harvest credentials, tokens, or password hashes from the compromised host to authenticate to other systems.
  3. Movement. Using those credentials and remote-access methods, they pivot to a new system — then repeat the cycle from there.

Common lateral movement techniques

  • Pass-the-hash / pass-the-ticket: reusing stolen password hashes or Kerberos tickets to authenticate without knowing the plaintext password.
  • Remote services: abusing legitimate remote-access protocols like RDP (Remote Desktop), SMB (file sharing), SSH, and WinRM to connect to other hosts.
  • Remote execution tools: using built-in administration utilities (PsExec, WMI, PowerShell remoting) to run commands on other machines — overlapping with living-off-the-land techniques.
  • Exploiting internal trust: abusing trust relationships between systems, shared local-admin passwords, or weak internal segmentation.
  • Stolen credentials: simply logging in with valid accounts harvested along the way, which looks like normal activity.

A recurring theme is the abuse of legitimate tools and credentials, which is exactly what makes lateral movement so hard to spot — it often looks like ordinary administration.

Why lateral movement is so dangerous

  • It reaches the crown jewels. Lateral movement is how an attacker gets from a low-value entry point to the systems that actually matter.
  • It enables widespread impact. Network-wide ransomware deployment depends on lateral movement to spread before detonating everywhere at once.
  • It extends dwell time. Blending into normal traffic lets attackers operate undetected for long periods.
  • It's resilient. Multiple footholds across the network make the attacker hard to fully evict.

How to detect lateral movement

  • Behavioral detection with EDR to spot suspicious remote execution, credential dumping, and abnormal process activity.
  • Network monitoring for unusual internal (east-west) traffic — connections between hosts that don't normally talk to each other.
  • User and entity behavior analytics (UEBA) to flag accounts authenticating to systems or at times they never have before.
  • Deception technology like honeypots and honey credentials that legitimate users would never touch — interaction is a high-confidence signal.
  • Proactive threat hunting for the specific techniques (pass-the-hash, anomalous RDP/SMB) mapped to ATT&CK.

How to limit lateral movement

  • Network segmentation so a compromise in one zone can't freely reach others.
  • Least privilege and credential hygiene — unique local-admin passwords, limited account rights, and protecting privileged credentials.
  • Multi-factor authentication on internal and remote access to blunt stolen-credential reuse.
  • Zero trust principles — verify every access request rather than trusting anything already "inside" the network.
  • Restrict and monitor administrative tools that are commonly abused for remote execution.

A lateral movement scenario

Picture a ransomware intrusion. An employee opens a malicious attachment, giving the attacker a foothold on a single ordinary workstation — a machine with little of value on it. From there the attacker dumps the credentials cached on that workstation and discovers a local administrator account whose password is reused across many machines. Using pass-the-hash, they authenticate to neighboring systems without ever cracking the password, quietly hopping from host to host. Along the way they map the network, identify the file servers and the domain controller, and harvest more privileged credentials. Days or weeks later — having reached the systems that actually matter — they deploy ransomware everywhere at once. The crucial point is that the initial infection was trivial; it was lateral movement that turned one careless click into an enterprise-wide disaster. It also highlights where defense would have helped: unique local-admin passwords would have stopped pass-the-hash cold, network segmentation would have contained the spread, and behavioral detection of abnormal internal logins could have caught the attacker mid-movement, long before the ransomware fired. This is why defenders increasingly treat the internal network as hostile rather than trusted: assuming an attacker will eventually get a foothold, the goal becomes making the journey from that foothold to anything valuable as slow, noisy, and detectable as possible.

Where threat intelligence fits

Threat intelligence describes the lateral-movement techniques specific threat groups favor — which tools they use, how they harvest credentials, and how they pivot. Knowing an adversary's playbook turns lateral movement from an invisible activity into a set of concrete behaviors defenders can hunt for and detect before the attacker reaches anything critical.

The bottom line

Lateral movement is how attackers spread from an initial foothold to the systems that hold their real targets, using stolen credentials and legitimate tools (pass-the-hash, RDP, SMB, remote execution) to blend in. It's what turns one compromised device into a network-wide breach and enables organization-wide ransomware. Because it abuses legitimate activity, defense relies on segmentation, least privilege, MFA, zero trust, and behavioral detection plus hunting. To track how active threat groups move through networks, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is lateral movement in cybersecurity?

Lateral movement is the set of techniques attackers use to move through a network from the system they first compromised to other systems, in pursuit of their goal. They harvest credentials and pivot from host to host to reach high-value targets like domain controllers and databases.

What are common lateral movement techniques?

Common techniques include pass-the-hash and pass-the-ticket, abusing remote services like RDP, SMB, SSH, and WinRM, using remote execution tools such as PsExec, WMI, and PowerShell remoting, exploiting internal trust relationships, and simply logging in with stolen valid credentials.

How do you detect lateral movement?

Use behavioral EDR to spot suspicious remote execution and credential dumping, monitor internal east-west network traffic for unusual host-to-host connections, apply UEBA to flag abnormal authentications, deploy deception like honey credentials, and hunt for techniques mapped to MITRE ATT&CK.

How do you prevent lateral movement?

Segment the network, enforce least privilege and strong credential hygiene (including unique local-admin passwords), require MFA on internal and remote access, adopt zero-trust principles that verify every request, and restrict and monitor administrative tools commonly abused for remote execution.

Why is lateral movement important to attackers?

The initial point of compromise is rarely where valuable data lives. Lateral movement lets attackers reach the crown jewels, deploy ransomware network-wide, and maintain multiple footholds — while blending into normal administrative activity, which extends how long they go undetected.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

AttacksWhat Is Privilege Escalation? Vertical vs Horizontal ExplainedAttacksWhat Is Command and Control (C2)? How C2 Works & DetectionFrameworksThe Cyber Kill Chain: All 7 Stages ExplainedDetectionWhat Is Threat Hunting? A Practical Guide