← All glossary terms
Identity Security6 min read

What is Lateral Movement?

Lateral movement is how attackers move from one system or identity to another inside an environment, expanding access without triggering detection. Learn the techniques, examples, and defenses.

What is Lateral Movement?

Definition

Lateral movement is the set of techniques attackers use to move from one system, account, or environment to another inside a network or cloud tenant after initial access — usually with the goal of reaching higher-value targets.

It is the TA0008 Lateral Movement tactic in MITRE ATT&CK and one of the most consequential stages of any breach: it is what turns a single compromised endpoint into a tenant-wide incident.

In simple terms:

Lateral movement is how a phished laptop becomes a domain compromise.


Why Lateral Movement Matters

Modern attackers rarely succeed in one hop. The typical pattern looks like:

  1. Initial access — phishing, infostealer, vulnerability, supply chain.
  2. Establish foothold — persistence, beacon.
  3. Discover — enumerate AD, cloud, network.
  4. Move laterally — reuse credentials, abuse trust.
  5. Escalate privilege — reach Tier 0 or sensitive data.
  6. Act on objectives — exfiltrate, encrypt, manipulate.

Stopping lateral movement breaks the chain. The 2017 NotPetya, 2021 Colonial Pipeline, 2023 MGM, and 2023 Caesars incidents all relied heavily on lateral movement after a relatively modest initial compromise.


How Lateral Movement Differs from Privilege Escalation

  • Lateral movement — moving sideways to other systems or peer-level accounts.
  • Privilege escalation — moving up to higher-privilege accounts.

In real attacks they interleave constantly: lateral move to a server, escalate locally, lateral move to another server with the new credentials, and so on.


Common Lateral Movement Techniques

Active Directory / Windows

  • Pass-the-Hash (PtH) — authenticate with an NTLM hash without knowing the password.
  • Pass-the-Ticket (PtT) — reuse a captured Kerberos TGT or service ticket.
  • Overpass-the-Hash — use an NTLM hash to request Kerberos tickets.
  • Silver / Golden Ticket — forge service / TGT tickets for persistent access.
  • Remote service execution — PsExec, WMI, WinRM, scheduled tasks, services.
  • RDP — remote desktop with valid credentials.
  • DCOM — abuse Distributed COM for remote execution.
  • Shadow Credentials — abuse Key Trust to authenticate as another user.
  • Resource-Based Constrained Delegation (RBCD) abuse.

Cloud

  • AssumeRole / cross-account access — hop across AWS accounts.
  • Service account impersonationiam.serviceAccountTokenCreator in GCP.
  • Managed identity / instance metadata abuse — pivot from a compromised VM into cloud APIs.
  • Federation trust abuse — move between tenants via SAML/OIDC trust.
  • OAuth token reuse — reuse stolen tokens across SaaS apps.

Linux / Unix

  • SSH key reuse — reuse keys harvested from ~/.ssh/.
  • Sudo and SUID misconfigurations.
  • Stored credentials in scripts and config files.
  • Kubernetes service account token reuse.

Generic

  • Credential reuse across systems.
  • Stolen API keys used against multiple services.
  • Browser cookie theft to ride sessions.
  • VPN / VDI access with valid stolen credentials.

Real-World Examples

Example 1: NotPetya (2017)

Initial infection via a Ukrainian software supply chain. Used Mimikatz to dump credentials from memory, then PsExec and WMI with stolen credentials to reach every reachable host. Lateral movement turned a single foothold into global outages for major companies in minutes.

Example 2: Colonial Pipeline (2021)

Initial access through a leaked VPN credential without MFA. Once inside, attackers moved laterally across the IT environment, leading to operational shutdown.

Example 3: MGM Resorts (2023)

Social engineering compromised a help desk identity. Attackers moved laterally through Active Directory and cloud, ultimately disrupting hospitality operations across multiple properties.

Example 4: Pass-the-Hash in Practice

  • Attacker dumps NTLM hashes from a compromised workstation (LSASS).
  • Reuses the hash to authenticate to a file server as a domain user.
  • Finds Domain Admin credentials in memory on the file server.
  • Uses those credentials to lateral-move to a domain controller.

Example 5: Kerberos Pass-the-Ticket

  • Attacker exports Kerberos tickets from a compromised host.
  • Imports them into another session.
  • Authenticates to multiple services without ever knowing the password.

Example 6: Cloud Cross-Account Abuse

  • Attacker compromises a developer's AWS access key.
  • Developer's role can AssumeRole into a shared services account.
  • From shared services, role chaining reaches a production account.
  • Each hop looks like normal AWS activity.

Why Lateral Movement Is Hard to Detect

  • Uses legitimate protocols (Kerberos, NTLM, RDP, SSH, AWS STS).
  • Looks like normal admin work in logs.
  • Reuses valid credentials, evading endpoint controls.
  • Takes advantage of permissive trust — flat networks, shared service accounts, broad cloud roles.
  • Hidden privilege paths offer many alternative routes.

Defenses Against Lateral Movement

1. Reduce the Attack Surface

  • Tiered administration — Tier 0 admins never log into Tier 1/2 systems.
  • Network segmentation and microsegmentation — limit east-west reachability.
  • Credential guard / Remote Credential Guard to protect cached creds.
  • Disable NTLM where possible; restrict where it's allowed.
  • Restrict legacy protocols (SMBv1, NTLMv1).
  • LAPS for unique local administrator passwords.

2. Eliminate Standing Privilege

  • JIT elevation breaks credential reuse — even if a hash is stolen, the privileged session may already be revoked.

3. Right-Size Service Accounts

  • Service accounts widely used for lateral movement; fewer privileges = fewer hops.
  • Restrict interactive logon for service accounts.
  • Use group Managed Service Accounts (gMSA) to remove static passwords.

4. Strong, Phishing-Resistant MFA

  • Reduces initial access success rate.
  • CAEP / continuous access evaluation revokes stolen tokens faster.

5. Cloud Boundaries

  • Avoid cross-account AssumeRole chains where not needed.
  • Restrict iam:PassRole, iam.serviceAccountTokenCreator, federation trust.
  • Use SCPs (AWS), IAM Conditions, and resource policies to limit reach.

6. Detection (ITDR)

  • Detect Pass-the-Hash, Pass-the-Ticket, Golden/Silver Ticket use.
  • Alert on unusual authentication patterns (service account interactive logon, unusual source hosts, rare destinations).
  • Detect unusual AssumeRole chains and federation activity.
  • Alert on RDP/SSH from unexpected sources.

7. Map Identity Attack Paths

Lateral movement is fundamentally a graph problem. Mapping all the available identity paths — and breaking choke points — eliminates many of the routes attackers would otherwise enjoy.


Lateral Movement Defense Checklist

  • Is tiered administration enforced (no Tier 0 logon to Tier 1/2)?
  • Are local admin passwords unique (LAPS)?
  • Is NTLM restricted or disabled?
  • Are interactive logons restricted for service accounts?
  • Are service accounts using gMSA where possible?
  • Are cross-account / cross-tenant trust relationships minimized?
  • Are PtH / PtT / Golden Ticket / DCSync detections in place?
  • Is continuous access evaluation enabled for SaaS / cloud?
  • Are identity attack paths analyzed continuously?
  • Are choke points prioritized for remediation?

How Forestall Helps

Lateral movement is a path problem. Forestall makes the paths visible and shrinkable:

  • Builds a complete identity graph across AD, Entra ID, AWS, GCP, and SaaS.
  • Surfaces every lateral move available to a given identity.
  • Highlights choke points where one fix breaks many paths.
  • Tracks how lateral reachability shrinks over time.
  • Integrates with detection to focus on paths that haven't yet been closed.

Frequently Asked Questions

Is lateral movement only on-premises?

No. Cloud lateral movement (cross-account roles, federation, OAuth tokens) is increasingly common.

Does MFA stop lateral movement?

It primarily stops initial access. Once attackers have a foothold, lateral movement often relies on identity reuse and trust paths that MFA doesn't directly address.

What's the most damaging lateral movement technique?

Domain Admin reuse — attackers find Tier 0 credentials cached on Tier 1 systems and replay them to take over the domain.

Should I disable NTLM completely?

Where compatibility allows, yes. At minimum, restrict it tightly and monitor its use.

How does attack path analysis help?

It maps every reachable identity from a given starting point and ranks the paths by impact, letting defenders cut the most useful routes first.


Conclusion

Lateral movement is the engine that turns small breaches into large ones. It thrives on permissive trust, shared credentials, overprivileged service accounts, and hidden privilege paths. Defending against it requires a combination of strong baseline hygiene (tiered admin, LAPS, gMSA, NTLM restrictions), aggressive privilege reduction, identity-aware detection, and continuous attack path analysis.

Cutting lateral movement is one of the highest-leverage things an identity security program can do — every path you remove is a future incident that stays small instead of becoming a headline.

Lateral MovementPass-the-HashActive DirectoryMITRE ATT&CK

Stop lateral movement before it reaches Tier 0.

Forestall maps the identity paths attackers use to move sideways — and the choke points that close them all at once.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is Lateral Movement? Techniques & Defenses | Forestall