What Is Lateral Movement in Cybersecurity?

An attacker phishes one employee and lands on a single laptop. That laptop holds nothing of value, but it is enough. The attacker runs a credential-dumping tool, pulls a local administrator's password hash from memory, and uses that hash to authenticate to a file server over SMB without ever knowing the password. From the file server they find a cached domain administrator session, steal its Kerberos ticket, and use it to log in to the domain controller. Now they own the network. Every step used a valid credential and a legitimate Windows protocol, so to the logs it looked like an administrator doing administrator things.

That is lateral movement: the phase where an attacker turns one compromised machine into control of many. The initial breach is rarely the goal. The goal is the data, the domain, the crown jewels, and lateral movement is how the attacker travels from where they landed to where they want to be.

This guide covers what lateral movement is and where it sits in an attack, why it matters so much to defenders, how it works step by step, the common techniques mapped to MITRE ATT&CK, why it is so hard to detect, and how to detect and limit it. It is written for blue teamers who have to spot an attacker moving through their network.

What is lateral movement?

Lateral movement is the set of techniques an attacker uses to progressively move through a network after gaining initial access, going from host to host to reach higher privileges and more valuable systems. MITRE ATT&CK catalogs it as a dedicated tactic, Lateral Movement (TA0008), defined as the techniques adversaries use to enter and control remote systems.

It sits in the middle of the attack lifecycle. An intrusion typically runs: initial access (the phish, the exploit), then execution and persistence, then credential access, then lateral movement, and finally the objective (exfiltration, ransomware, sabotage). Lateral movement is the connective tissue. Without it, a breach is contained to one machine. With it, one foothold becomes a foothold everywhere.

The defining trait, and the reason it is so dangerous, is that lateral movement usually does not look like an attack. The attacker is not exploiting software; they are logging in. They use stolen-but-valid credentials and the same remote-administration tools that real admins use every day. The malicious action and the legitimate action are the same action, performed by a different person.

Why lateral movement matters

Lateral movement is where most of the damage is decided, and where the defender has the best chance to catch an intrusion before it becomes a breach.

It is where dwell time goes. The gap between compromise and detection is mostly the attacker moving around inside, quietly. Mandiant's M-Trends 2026 report puts the global median dwell time at 14 days, and that window is largely spent on internal reconnaissance and lateral movement, not on the initial break-in. Every one of those days is an opportunity to detect the attacker on the move.

It is also the difference between a small incident and a catastrophe. A single compromised laptop, caught early, is a cleanup task. The same compromise allowed to spread to the domain controller is a full-environment breach, the kind that ends in mass ransomware or large-scale data theft, with the cost and recovery time that implies. IBM's 2025 Cost of a Data Breach report put the global average breach at $4.44 million; the breaches at the high end are almost always the ones where the attacker moved freely.

Modern ransomware crews depend on it. They rarely encrypt the first machine they land on; they move first, harvesting credentials and reaching the domain controller, so they can push encryption to every host at once. The scale of a ransomware incident is largely set during the lateral movement that preceded it. Stopping that spread is how a defender keeps a foothold from becoming a full-environment breach.

How lateral movement works

Lateral movement is not a single action but a repeating loop the attacker runs until they reach their objective.

1. Establish a foothold. Initial access lands the attacker on one machine, usually a low-value endpoint via phishing or an exploited service.
2. Internal reconnaissance. From inside, the attacker maps the network: what hosts exist, which accounts are logged in where, where the valuable systems and the domain controllers are. The inside view is far richer than anything visible from outside.
3. Credential access. They harvest credentials from the current machine, dumping password hashes or Kerberos tickets from memory, reading stored passwords, or capturing them. This is the fuel for the next hop.
4. Move to the next host. Using those credentials, they authenticate to another system with a legitimate remote protocol, gaining a foothold there.
5. Escalate and repeat. On the new host they find higher-privileged credentials, and the loop runs again: recon, credentials, move. Each iteration gets closer to domain admin and the target data.

The pattern is a chain of hops, each one using what was stolen on the last. Breaking any link breaks the chain, which is why defenders try to stop it at every stage rather than betting on one control.

Common lateral movement techniques

Most lateral movement abuses legitimate authentication and remote-administration mechanisms. The techniques below map to MITRE ATT&CK and account for the bulk of what defenders see.

A few patterns tie these together. Credential reuse is the engine: pass-the-hash (T1550.002) and pass-the-ticket (T1550.003) let an attacker authenticate without ever cracking a password, and they are almost always paired with a remote service (T1021) to actually make the hop. Living off the land is the disguise: RDP, SMB, WinRM, and WMI are real administration tools, so using them generates the same telemetry an admin would. Tools like Mimikatz for credential theft and PsExec for remote execution show up constantly because they automate exactly this. The relationship between NTLM and Kerberos authentication is worth knowing well, because attacks like Kerberoasting target the credential material these hops depend on.

Why lateral movement is hard to detect

The core problem is that lateral movement hides in legitimate activity. A pass-the-hash logon and a normal logon both produce an authentication event. PsExec is used by attackers and by administrators. There is no malicious file to flag and no exploit signature to match; there is only a valid credential being used in a way that happens to be unauthorized.

That breaks the controls built for other phases. Signature antivirus sees nothing, because nothing is malware. The perimeter firewall sees nothing, because the traffic is internal, east-west, never crossing the boundary it watches. Detecting lateral movement means recognizing that a normal-looking action is abnormal in context: this account does not usually log in to that server, at this hour, from that host. It is a problem of behavior and baseline, not signatures.

How to detect lateral movement

Because the activity looks legitimate, detection depends on correlation and baselines rather than known-bad indicators.

• Authentication anomalies. Watch logon events for the patterns lateral movement creates: an account logging into systems it never uses, logons at odd hours, a single account authenticating to many hosts quickly, or NTLM where Kerberos is expected. Centralize these in a SIEM so they can be correlated across hosts.
• East-west network monitoring. Most defenses watch traffic crossing the perimeter; lateral movement is internal. Monitoring host-to-host traffic surfaces the unusual SMB, RDP, and WinRM connections that a moving attacker generates.
• Endpoint telemetry. EDR records the process and logon activity that exposes credential dumping and remote execution, the Mimikatz run, the PsExec service creation, mapped to the attacker techniques above.
• Behavioral analytics (UEBA). Tools that learn a baseline for each user and host and flag deviation are built for exactly this, because lateral movement is a deviation from normal behavior more than a known signature.
• Deception. A honeypot or honey credentials that no legitimate user should ever touch turn lateral movement into a high-confidence alert: if something authenticates to the decoy, it is an intruder.

In Windows environments, the evidence is in the logon events: account logons (event 4624) with network logon type 3 for the remote authentications lateral movement generates, explicit-credential logons (4648), and special-privilege assignments (4672). A 4624 showing NTLM authentication to a host that normally uses Kerberos is a classic pass-the-hash tell. Knowing which event IDs map to which technique is what turns a SIEM full of ordinary logons into a detection, and the correlation across hosts is what separates an admin's normal pattern from an intruder's.

The unifying skill is knowing what normal looks like. An analyst who has internalized the baseline of their environment can see the one logon that does not belong, which is why proactive threat hunting for lateral movement is so effective.

How to limit lateral movement

You cannot always stop the first foothold, but you can make moving from it expensive and noisy. The controls that matter most:

• Network segmentation. Divide the network so a compromise in one zone cannot reach the rest. This is the single most effective structural limit on lateral movement, and the heart of network security done well.
• Least privilege and tiered administration. Most movement rides on over-privileged accounts. Scope every account to what it needs, and separate admin tiers so a workstation admin credential cannot log into a domain controller.
• Strong credential hygiene. Multi-factor authentication, no reused local admin passwords (use a solution that randomizes them per host), and limiting where privileged accounts log in so their credentials are not left in memory for the taking.
• Reduce the legacy attack surface. Disable or restrict legacy protocols like NTLM where you can, since pass-the-hash depends on them, and lock down RDP and SMB exposure between hosts.

None of these stop lateral movement alone. Layered, they turn a quiet walk to the domain controller into a series of obstacles that each generate evidence.

Getting started with detecting lateral movement

If you are building the skill, work it from the artifacts attackers leave.

1. Learn Windows authentication. Understand NTLM, Kerberos, and what logon events look like, because that is where lateral movement is recorded.
2. Study the techniques in ATT&CK. Work through the Lateral Movement tactic and its techniques so you can recognize each one in telemetry.
3. Analyze the traffic and logs of a real move. Pull apart a packet capture or an event log of a PsExec or pass-the-hash hop and learn its fingerprint.
4. Hunt for the anomaly. Practice spotting the account that logged in where it should not, in real data.

The bottom line

Lateral movement is the phase that turns one compromised machine into a compromised network. The attacker steals credentials, uses a legitimate remote protocol to hop to the next host, escalates, and repeats, traveling from a throwaway laptop to the domain controller while looking, the whole way, like routine administration. It is where dwell time is spent and where a small incident becomes a breach.

That is also why it is the defender's best opportunity. The attacker has to move, and every move is a chance to be seen, if you are watching authentication, internal traffic, and endpoint behavior against a known baseline. Stopping the spread with segmentation and least privilege, and catching the movement with correlation and hunting, is how a foothold stays a foothold.