Skip to content
Security Glossary / Lateral Movement

Lateral Movement: How Attackers Move Through Your Network

What lateral movement is, the MITRE ATT&CK techniques behind it, and why testing one system at a time never catches it.

What Is Lateral Movement?

Lateral movement is the set of techniques an attacker uses to move from an initial foothold to other systems and accounts inside a network, in pursuit of a higher-value target. MITRE ATT&CK catalogs it as Enterprise tactic TA0008.

An attacker rarely lands directly on the asset they want. They compromise one system, a laptop, an exposed API, a low-privilege account, and then explore the network to find and reach their real target, often reusing legitimate credentials and native tools rather than obvious malware to stay stealthy.

Common Lateral Movement Techniques

MITRE ATT&CK lists nine techniques under this tactic. The table below covers the ones seen most often in real engagements.

ATT&CK ID Technique What it looks like
T1021 Remote Services Using valid credentials to log into RDP, SSH, SMB, or WinRM on another system
T1550 Use Alternate Authentication Material Pass-the-hash, pass-the-ticket, or stolen session cookies to bypass normal login
T1570 Lateral Tool Transfer Copying tools or payloads from one compromised system to another
T1534 Internal Spearphishing Using a compromised internal account to phish other employees
T1563 Remote Service Session Hijacking Taking over an existing SSH or RDP session rather than starting a new one

Why It Matters

The gap: a scanner that tests one system in isolation will never find the path an attacker actually takes across five systems to reach a crown-jewel asset.

Lateral movement is where a single low-severity finding turns into a real incident. A forgotten test server with a shared local admin password looks minor on its own. Chained with a pass-the-hash technique and a misconfigured trust relationship, it becomes a path to the domain controller. Roughly 20% of breaches trace back to exactly this kind of peripheral asset that nobody was watching closely.

Traditional vulnerability scanning cannot show this. It evaluates hosts individually and has no concept of what happens once an attacker gets a foothold and starts pivoting.

How to Test for Lateral Movement

Testing for lateral movement requires a red-team or pentest exercise built to chain findings, not a scan built to list them. That means starting from a realistic foothold, attempting the same techniques listed above, and proving how far an attacker could actually get, with evidence at each step rather than a theoretical risk score.

Frequently Asked Questions

What is lateral movement in cybersecurity?

Lateral movement is how an attacker moves from an initial compromised system to other systems and accounts on the same network, usually to reach a higher-value target. MITRE ATT&CK tracks it as tactic TA0008.

What is pass-the-hash?

Pass-the-hash is a lateral movement technique where an attacker uses a stolen password hash to authenticate as a user without ever knowing the plaintext password.

Can a vulnerability scanner detect lateral movement risk?

Not reliably. Scanners assess hosts individually and do not model how an attacker could chain access across multiple systems and accounts.

How is lateral movement different from privilege escalation?

Privilege escalation increases an attacker’s permissions on the system they are already on. Lateral movement is about moving to a different system or account entirely.

What is the best defense against lateral movement?

Network segmentation, least-privilege access, monitoring for anomalous authentication patterns, and regularly testing whether an attacker could actually chain a path between segments.

Related Reading

Featured across 30+ analyst reports, including the Gartner Hype Cycle

See How Far an Attacker Could Actually Get

Get a pentest that chains findings into real, evidence-backed attack paths, not a list of isolated vulnerabilities.

Free AI Pen Test