eastbaycyber

Lateral Movement: Definition, How It Works, and How to Detect It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Lateral movement is the set of techniques adversaries use to expand access within a network after an initial foothold, moving from one system or identity to another to reach higher-value targets. It’s how a single compromised endpoint can turn into domain-wide compromise.

Lateral movement is the attacker behavior that turns a single foothold into a broader compromise: after initial access, intruders pivot from one host or identity to others inside your environment. If you can detect and contain lateral movement early, you can often prevent domain-wide compromise, large-scale data theft, or ransomware deployment.

How lateral movement works

Lateral movement is less about “exploiting the perimeter” and more about abusing what already exists internally: credentials, remote management tools, trust relationships, and misconfigurations. In practice, it typically follows a repeatable chain:

  1. Initial foothold - Phishing, drive-by download, exploited exposed service, or stolen VPN credentials gets an attacker onto one endpoint or into one account.

  2. Recon (internal discovery) - The attacker enumerates where they are and what they can reach: domain membership, logged-on users, network shares, admin groups, remote management ports, and AD objects.

  3. Credential access - Harvesting credentials from memory (e.g., LSASS), browser stores, cached tokens, Kerberos tickets, SSH keys, or configuration files. - Capturing NTLM hashes or cleartext passwords, then reusing them.

  4. Privilege escalation (often intertwined) - Local admin to SYSTEM, or standard domain user to higher-privileged account via misconfigurations, weak ACLs, token theft, or vulnerable services.

  5. Remote execution / pivot - Using built-in protocols and tools to execute commands on another host:

    • Windows: SMB (admin shares), WMI, WinRM/PowerShell Remoting, Scheduled Tasks, Services, RDP.
    • Linux: SSH, remote shells, orchestration tools.
    • Sometimes via “living off the land” binaries (LOLBins) to blend in.
  6. Repeat until objective - The attacker keeps pivoting—endpoint → file server → app server → domain controller—until they can exfiltrate data, deploy ransomware, or maintain persistence.

Common lateral movement paths (what defenders actually see)

  • RDP to servers using stolen credentials, especially to jump hosts and file servers.
  • SMB-based movement:
  • Accessing \\HOST\ADMIN$ or \\HOST\C$ and remotely creating/starting services.
  • WMI / WinRM:
  • Remote command execution that looks like legitimate admin activity.
  • Kerberos abuse in AD environments:
  • Ticket theft and reuse, attacks that leverage service accounts, or abusing delegation.
  • Remote tooling
  • Attackers may deploy PSExec-like behavior (even without Sysinternals), remote agents, or repurpose RMM tools if present.

Quick mental model (two requirements)

Lateral movement generally requires two things: - A reachable management surface (ports/protocols or an internal agent) - An identity with enough rights (valid credentials, tokens, tickets, or misused trust)

If you remove either (segmentation + least privilege), you dramatically reduce blast radius.

When you’ll encounter lateral movement

You’ll encounter lateral movement in both active incidents and routine security monitoring—especially in Windows/Active Directory-heavy environments.

During a suspected breach or ransomware event

Lateral movement is a hallmark of pre-ransomware operations: - A single workstation compromise rapidly turns into attempts against: - File servers (for maximum impact) - Hypervisors/backup servers (to inhibit recovery) - Domain controllers (to gain broad control)

Operational clue: the environment suddenly shows a spike in remote logons, new services, scheduled tasks, or administrative share access—often outside normal admin hours.

In environments with “flat networks”

Organizations with minimal segmentation and shared local admin passwords are particularly exposed: - One local admin credential reused across endpoints enables fast pivoting. - Broad access to SMB/RDP across VLANs makes movement trivial.

During routine admin operations (false positive risk)

Many legitimate IT activities look like lateral movement: - Patch deployment tools, config management, EDR response actions, backup agents, helpdesk remote support. - This is why context (who/what/when) matters: baselining normal admin patterns is essential.

Red team, pen test, and purple team exercises

Lateral movement is a core objective in authorized testing: - Demonstrating how quickly an attacker can reach crown jewels from a low-privilege foothold. - Validating detections for remote execution, credential misuse, and AD abuse.

How to detect lateral movement (logs, signals, and patterns)

Exact event IDs and fields vary by OS version and auditing policy—focus on patterns, not just single events.

Windows event log patterns (high-signal starting points)

  • Remote logons (new or unusual sources)
  • Look for logons to many hosts from one workstation, or logons by a user who normally doesn’t admin those systems.
  • Admin share access
  • Connections to ADMIN$, C$, and other hidden shares from non-admin workstations are suspicious.
  • Service / scheduled task creation
  • Sudden creation of services or tasks that execute cmd.exe, powershell.exe, or binaries from unusual paths.

Example queries depend on your SIEM, but the goal is consistent: - “Show me new remote interactive/network logons to servers” - “Show me service installs and scheduled tasks created remotely” - “Show me SMB connections to admin shares”

Useful host-level triage commands (Windows)

# Who is logged on (local + remote sessions)
query user

# Recently created scheduled tasks
schtasks /query /fo LIST /v | findstr /i "TaskName Author Run As User"

# Services with unusual binary paths
Get-CimInstance Win32_Service |
  Where-Object { $_.PathName -match "AppData|Temp|Users\\Public|ProgramData" } |
  Select-Object Name, StartMode, State, PathName

# Open network connections (quick view)
netstat -ano

Useful host-level triage commands (Linux)

# Recent logins
last -a | head

# SSH auth logs (path varies by distro)
sudo grep -E "Accepted|Failed|Invalid user|session opened" /var/log/auth.log 2>/dev/null
sudo grep -E "Accepted|Failed|Invalid user|session opened" /var/log/secure 2>/dev/null

# Active SSH connections
ss -tpn | grep ssh

Network indicators worth alerting on

  • Internal scanning or connection bursts to:
  • 445/tcp (SMB), 3389/tcp (RDP), 5985/5986 (WinRM), 135 + high ports (RPC), 22/tcp (SSH)
  • “One-to-many” patterns:
  • One host suddenly trying to authenticate to dozens/hundreds of peers.

How to prevent or limit lateral movement (practical controls)

Reduce credential reuse and credential exposure

  • Enforce least privilege and remove standing local admin where possible.
  • Use LAPS / password randomization for local admin accounts to prevent a single password from unlocking many endpoints.
  • Protect privileged users with tiered admin practices (separate admin workstations and accounts).
  • Prefer phishing-resistant MFA and strong password hygiene. For many teams, the simplest win is standardizing a business password manager (see: password manager for small business 2026/). If you’re evaluating tools, 1Password is a common option for SMBs: Try 1Password →.

Tighten and segment administrative pathways

  • Restrict SMB/RDP/WinRM to admin networks (or just jump hosts), not “any-to-any.”
  • Block lateral protocols between workstation VLANs unless explicitly required.
  • Treat “management plane access” as production access: log it, gate it, and minimize it.

Improve endpoint visibility and response speed

  • Ensure endpoints have EDR/AV coverage and centrally managed policies. If you’re comparing controls for Windows fleets, see best antivirus for windows business endpoints 2026.
  • Consider a managed detection and response program when staffing is limited; it can help catch lateral movement earlier and run containment quickly (related: what is mdr/).
  • For additional endpoint remediation capability, Malwarebytes is one commonly deployed option: Get Malwarebytes →.

Secure remote access and reduce “stolen credential” blast radius

  • Require MFA for VPN and remote access and limit split tunneling based on your risk model.
  • Review who can reach RDP/SSH at all. If you rely on consumer-style VPNs for travel or contractor access, choose reputable providers and enforce device posture where possible (options include Check NordVPN pricing → and Try Proton VPN → depending on your use case).

Immediate containment checklist (practitioner-focused)

If you suspect lateral movement is in progress:

1) Isolate suspected hosts (EDR isolate or network quarantine).
2) Identify the credential(s) used (user/service accounts) and rotate/reset fast.
3) Block lateral protocols where possible (tighten SMB/RDP/WinRM scope to admin networks only).
4) Hunt for persistence created during movement (services, tasks, new local admins, SSH keys).
5) Validate AD health: tiered admin model, privileged group membership changes, DC logons.

Lateral movement is the difference between a “single compromised machine” and an organization-wide incident. The fastest wins are reducing credential reuse, restricting administrative pathways, and aggressively monitoring remote authentication and execution behaviors.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Related terms

Initial Access

How an attacker gets in (phishing, exposed service, stolen creds). Lateral movement happens after this.

Pivoting

A general term for using one compromised system to reach another network segment or host; lateral movement is pivoting inside an environment.

Privilege Escalation

Gaining higher permissions (local admin, domain admin). Often a prerequisite for effective lateral movement.

Credential Dumping / Credential Theft

Extracting passwords/hashes/tokens/tickets used to authenticate elsewhere—frequently the enabler for lateral movement.

Pass-the-Hash (PtH)

Using NTLM hashes to authenticate without knowing the plaintext password.

Kerberos Ticket Abuse

Misusing Kerberos tickets (e.g., stolen tickets) to access services; commonly seen in AD compromises.

Remote Service Creation / Remote Execution

Techniques to run commands on another host (services, scheduled tasks, WMI, WinRM, SSH).

Living off the Land (LotL/LOLBins)

Using native tools (PowerShell, WMI, net.exe, sc.exe) to reduce reliance on malware binaries.

Network Segmentation

A defensive control limiting which systems can talk to which—one of the best ways to contain lateral movement.

MITRE ATT&CK – Lateral Movement

A taxonomy category describing these techniques; useful for mapping detections and control gaps.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.