Lateral Movement: How Attackers Move Through Your Network
What lateral movement is, the MITRE ATT&CK techniques behind it, and why testing one system at a time never catches it.
What Is Lateral Movement?
Lateral movement is the set of techniques an attacker uses to move from an initial foothold to other systems and accounts inside a network, in pursuit of a higher-value target. MITRE ATT&CK catalogs it as Enterprise tactic TA0008.
An attacker rarely lands directly on the asset they want. They compromise one system, a laptop, an exposed API, a low-privilege account, and then explore the network to find and reach their real target, often reusing legitimate credentials and native tools rather than obvious malware to stay stealthy.
Common Lateral Movement Techniques
MITRE ATT&CK lists nine techniques under this tactic. The table below covers the ones seen most often in real engagements.
| ATT&CK ID | Technique | What it looks like |
|---|---|---|
| T1021 | Remote Services | Using valid credentials to log into RDP, SSH, SMB, or WinRM on another system |
| T1550 | Use Alternate Authentication Material | Pass-the-hash, pass-the-ticket, or stolen session cookies to bypass normal login |
| T1570 | Lateral Tool Transfer | Copying tools or payloads from one compromised system to another |
| T1534 | Internal Spearphishing | Using a compromised internal account to phish other employees |
| T1563 | Remote Service Session Hijacking | Taking over an existing SSH or RDP session rather than starting a new one |
Why It Matters
Lateral movement is where a single low-severity finding turns into a real incident. A forgotten test server with a shared local admin password looks minor on its own. Chained with a pass-the-hash technique and a misconfigured trust relationship, it becomes a path to the domain controller. Roughly 20% of breaches trace back to exactly this kind of peripheral asset that nobody was watching closely.
Traditional vulnerability scanning cannot show this. It evaluates hosts individually and has no concept of what happens once an attacker gets a foothold and starts pivoting.
How to Test for Lateral Movement
Testing for lateral movement requires a red-team or pentest exercise built to chain findings, not a scan built to list them. That means starting from a realistic foothold, attempting the same techniques listed above, and proving how far an attacker could actually get, with evidence at each step rather than a theoretical risk score.
Frequently Asked Questions
What is lateral movement in cybersecurity?
Lateral movement is how an attacker moves from an initial compromised system to other systems and accounts on the same network, usually to reach a higher-value target. MITRE ATT&CK tracks it as tactic TA0008.
What is pass-the-hash?
Pass-the-hash is a lateral movement technique where an attacker uses a stolen password hash to authenticate as a user without ever knowing the plaintext password.
Can a vulnerability scanner detect lateral movement risk?
Not reliably. Scanners assess hosts individually and do not model how an attacker could chain access across multiple systems and accounts.
How is lateral movement different from privilege escalation?
Privilege escalation increases an attacker’s permissions on the system they are already on. Lateral movement is about moving to a different system or account entirely.
What is the best defense against lateral movement?
Network segmentation, least-privilege access, monitoring for anomalous authentication patterns, and regularly testing whether an attacker could actually chain a path between segments.
Related Reading
See How Far an Attacker Could Actually Get
Get a pentest that chains findings into real, evidence-backed attack paths, not a list of isolated vulnerabilities.