Lateral Movement: How Attackers Spread Through Networks

Lateral movement is how attackers spread through a network after gaining initial access. Average eCrime breakout time is now 29 minutes, down from 48 minutes in 2024 and 62 minutes in 2023 (CrowdStrike Global Threat Report, 2026). Attackers are getting faster. MITRE ATT&CK catalogues 9 primary lateral movement techniques and over 20 sub-techniques under TA0008. In our engagements, lateral movement is where we see the biggest gap between what organisations think their segmentation does and what it actually stops.

What Is Lateral Movement and Why Does It Matter?

Lateral movement is the critical phase that transforms an isolated compromise into a full-scale breach. When an attacker gains their initial foothold — whether through a phishing email, a vulnerable internet-facing service, or a compromised VPN credential — they rarely land directly on their ultimate target. The data they seek, the systems they want to disrupt, or the accounts they need to achieve their objectives are almost always elsewhere in the network.

Lateral movement bridges this gap. It encompasses every technique an attacker uses to:

Discover additional systems, services, and accounts within the network
Access those systems using stolen credentials, exploitation of trust relationships, or abuse of legitimate remote access tools
Escalate their privileges on newly compromised systems
Position themselves closer to their ultimate objective

The significance of lateral movement cannot be overstated. A compromise contained to a single workstation causes limited damage. An attacker who successfully moves laterally to domain controllers, database servers, or cloud administrative consoles can cause catastrophic harm.

“The initial access is just the ticket to the show. What the attacker does after they get in — how they move laterally, escalate privileges, and position themselves for maximum impact — that is where breaches become disasters.” — Dmitri Alperovitch, Co-Founder, CrowdStrike

Key statistics that illustrate the importance of lateral movement:

29 minutes: Average eCrime breakout time from initial access to lateral movement (CrowdStrike, 2026)
80% of breaches that involve lateral movement result in data exfiltration (Mandiant M-Trends, 2025)
71% of attacks that reached domain admin status started from a standard user workstation (Microsoft Digital Defense Report, 2024)
$5.46 million: Average cost of breaches where lateral movement was detected late versus $3.12 million where it was contained early (IBM, 2024)
26 days: Average dwell time for attackers engaging in lateral movement before detection (Mandiant, 2025)
Active Directory misconfigurations enabling lateral movement exist in 94% of enterprise environments (Semperis, 2024)

What Lateral Movement Techniques Does MITRE ATT&CK Document?

MITRE ATT&CK’s Lateral Movement tactic (TA0008) provides the most complete taxonomy of lateral movement techniques. Understanding this taxonomy is essential for both red teams planning their operations and blue teams developing detection capabilities.

Complete TA0008 Technique Overview

Technique ID	Technique Name	Description	Prevalence
T1021	Remote Services	Using legitimate remote services (RDP, SSH, SMB, WinRM, VNC)	Very High
T1021.001	Remote Desktop Protocol	Connecting to systems via RDP	Very High
T1021.002	SMB/Windows Admin Shares	Accessing ADMIN$, C$, IPC$ shares	High
T1021.003	DCOM (Distributed COM)	Executing commands via DCOM interfaces	Medium
T1021.004	SSH	Moving between Linux/Unix systems via SSH	High
T1021.005	VNC	Using Virtual Network Computing for remote access	Low
T1021.006	Windows Remote Management	Using WinRM/PowerShell Remoting	High
T1534	Internal Spearphishing	Phishing from compromised internal accounts	Medium
T1570	Lateral Tool Transfer	Moving tools between compromised systems	Very High
T1563	Remote Service Session Hijacking	Hijacking existing remote sessions (RDP, SSH)	Medium
T1550	Use Alternate Authentication Material	Using hashes, tickets, tokens instead of passwords	Very High
T1550.002	Pass the Hash	Authenticating with NTLM hash without cracking	Very High
T1550.003	Pass the Ticket	Using stolen Kerberos tickets for authentication	High
T1072	Software Deployment Tools	Abusing SCCM, Ansible, or other deployment tools	Medium
T1080	Taint Shared Content	Placing malicious content on network shares	Low
T1210	Exploitation of Remote Services	Exploiting vulnerabilities in network services	Medium

The Most Commonly Used Techniques

Based on aggregated red team engagement data and threat intelligence reports, the most frequently observed lateral movement techniques in real-world attacks and professional red team operations are:

1. Remote Desktop Protocol (T1021.001) RDP remains the single most used lateral movement technique. Its prevalence stems from its ubiquity in enterprise environments — RDP is enabled on the vast majority of Windows servers and many workstations. Attackers use stolen credentials to connect via RDP, gaining full interactive access to the target system.

2. SMB and Windows Admin Shares (T1021.002) Server Message Block (SMB) protocol enables file sharing and remote administration across Windows networks. Attackers leverage SMB to access administrative shares (C$, ADMIN$), copy tools and payloads to remote systems, and execute commands. Tools like PsExec, which operates over SMB, remain staples of both attacker and red team arsenals.

3. Pass-the-Hash (T1550.002) Pass-the-Hash (PtH) is a technique that allows an attacker to authenticate to a remote system using the NTLM hash of a user’s password rather than the plaintext password itself. This is devastating because:

NTLM hashes can be extracted from memory (using tools like Mimikatz) without knowing the plaintext password
The hash acts as a credential equivalent, accepted by Windows authentication protocols
A single compromised admin hash can provide access to every system where that account has privileges

4. Pass-the-Ticket (T1550.003) Similar to Pass-the-Hash but targeting Kerberos authentication, Pass-the-Ticket involves stealing Kerberos ticket-granting tickets (TGTs) or service tickets from memory and using them to authenticate to other services. The most devastating variant is the “Golden Ticket” attack, where an attacker who compromises the KRBTGT account can forge Kerberos tickets for any user, effectively granting unlimited access to the entire Active Directory domain.

5. WinRM/PowerShell Remoting (T1021.006) Windows Remote Management (WinRM) enables PowerShell Remoting, allowing administrators to execute commands on remote systems. Attackers and red teams abuse this legitimate management capability to execute code, run scripts, and transfer data across compromised networks. PowerShell Remoting is particularly dangerous because it is often allowed by default in enterprise environments and may not be adequately monitored.

How Do Attackers Perform Lateral Movement Through Active Directory?

Active Directory (AD) environments are the primary battleground for lateral movement in enterprise networks. The inherent trust relationships, delegation configurations, and credential management mechanisms in AD create numerous opportunities for lateral movement.

Understanding AD Trust Relationships

Active Directory’s authentication and authorization model is built on trust. When systems and services trust the same directory, an attacker who compromises one trusted principal can exploit that trust to access other systems. Key trust-enabling mechanisms include:

Kerberos Delegation: Allows services to impersonate users when accessing other services. Unconstrained delegation, in particular, is a high-risk configuration that enables credential theft
Group Policy: GPOs can push configurations, scripts, and credentials across the domain, and compromised GPOs can be weaponized for mass lateral movement
Domain Trusts: Trust relationships between domains enable cross-domain lateral movement, potentially allowing an attacker in one domain to access resources in another

Common AD Lateral Movement Attack Chains

Attack Chain 1: Credential Harvesting and Reuse

Initial Compromise (Workstation)
  -> Dump LSASS memory (Mimikatz/nanodump)
  -> Extract NTLM hashes and Kerberos tickets
  -> Pass-the-Hash to server with shared admin credentials
  -> Dump additional credentials
  -> Reach Domain Controller

Attack Chain 2: Kerberos Abuse

Initial Compromise
  -> Kerberoasting (request service tickets, crack offline)
  -> Use cracked service account credentials
  -> Access systems where service account has privileges
  -> Extract KRBTGT hash from DC
  -> Forge Golden Tickets for unlimited access

Attack Chain 3: AD Certificate Services (ADCS) Abuse

Initial Compromise
  -> Identify misconfigured certificate templates
  -> Request certificate as privileged user (ESC1/ESC8)
  -> Use certificate for authentication
  -> Impersonate Domain Admin

“Active Directory was designed for manageability, not security. Every feature that makes it easier to manage a network of thousands of computers — group policies, delegation, trusts, service accounts — is a feature that attackers can abuse for lateral movement. Securing AD requires fundamentally rethinking how these features are configured and monitored.” — Sean Metcalf, Founder, Trimarc Security

Tools Commonly Used for AD Lateral Movement

Tool	Purpose	Red Team Usage
Mimikatz	Credential extraction from memory	Extract NTLM hashes, Kerberos tickets
Impacket	Python-based network protocol tools	PsExec, WMI exec, SMB relay, secretsdump
BloodHound	AD attack path visualization	Map shortest path to Domain Admin
Rubeus	Kerberos abuse toolkit	Kerberoasting, ticket manipulation, delegation abuse
CrackMapExec	Multi-protocol attack tool	Credential spraying, SMB enumeration, command execution
SharpHound	BloodHound data collector	Enumerate AD objects, sessions, permissions
Certify/Certipy	ADCS exploitation	Identify and exploit certificate template misconfigurations
PsExec	Remote command execution via SMB	Execute commands on remote Windows systems
Evil-WinRM	WinRM shell client	Interactive PowerShell sessions on remote systems

How Does Lateral Movement Work in Cloud Environments?

As organisations migrate infrastructure to the cloud, lateral movement techniques have evolved to exploit cloud-specific trust relationships, identity systems, and service configurations. Cloud lateral movement differs fundamentally from on-premises movement because it targets identity and access management (IAM) rather than network protocols.

Azure / Entra ID Lateral Movement

Microsoft Azure and Entra ID (formerly Azure AD) present unique lateral movement opportunities:

Token Theft: Stealing Azure access tokens and refresh tokens from compromised endpoints enables access to cloud resources without needing the user’s password
Service Principal Abuse: Compromising service principal credentials provides automated access to Azure resources, often with excessive privileges
Hybrid Identity Exploitation: Organizations using Azure AD Connect to synchronize on-premises AD with Entra ID create lateral movement paths between on-premises and cloud environments. Compromising the Azure AD Connect server can grant access to cloud admin credentials
Subscription Pivoting: Moving between Azure subscriptions and resource groups by abusing IAM role assignments
Managed Identity Abuse: Exploiting Azure Managed Identities assigned to virtual machines to access other Azure services without credential management

AWS Lateral Movement

Amazon Web Services lateral movement typically involves:

IAM Role Chaining: Assuming roles across accounts using cross-account trust policies
Instance Metadata Service (IMDS): Stealing temporary credentials from EC2 instance metadata (particularly dangerous with IMDSv1)
SSM Session Manager: Using AWS Systems Manager to establish sessions on EC2 instances
Lambda Function Abuse: Abusing compromised Lambda execution roles to access other AWS services
S3 Bucket Access: Using stolen credentials to access S3 buckets containing sensitive data or configuration files with additional credentials

Cloud Lateral Movement Statistics

58% of cloud breaches involve lateral movement between cloud services (Palo Alto Unit 42, 2025)
73% of organisations have IAM misconfigurations that enable cross-service lateral movement (Orca Security, 2024)
3 hops: Average number of lateral movement steps to reach critical cloud assets from initial compromise (Wiz, 2024)
Cloud lateral movement is 2.8x faster than on-premises due to API-based authentication (CrowdStrike, 2025)

How Can Organizations Detect Lateral Movement?

Detecting lateral movement is one of the most challenging tasks in cybersecurity. Lateral movement techniques deliberately abuse legitimate protocols and tools (RDP, SMB, PowerShell), making it difficult to distinguish malicious activity from normal administration. However, several detection strategies have proven effective.

Network-Based Detection

Network Traffic Analysis:

Monitor for unusual patterns in east-west traffic (internal-to-internal communications)
Detect anomalous RDP connections between workstations (workstation-to-workstation RDP is rarely legitimate)
Identify unusual SMB traffic patterns, particularly access to ADMIN$ and C$ shares from unexpected sources
Flag high volumes of authentication events from a single source in short time periods

Network Segmentation Monitoring:

Alert on traffic crossing segmentation boundaries that violates expected communication patterns
Monitor jump server / bastion host usage for anomalies
Track VPN-to-internal lateral connections

Endpoint-Based Detection

Credential Access Monitoring:

Detect LSASS memory access patterns consistent with credential dumping (Mimikatz, nanodump)
Monitor for creation of Windows Security logs (Event ID 4648: Logon with explicit credentials)
Alert on Kerberos ticket requests for unusual services (potential Kerberoasting)
Track NTLM authentication events that should be Kerberos in a properly configured environment

Process and Command Line Monitoring:

Detect execution of known lateral movement tools (PsExec, WMI, WinRM)
Monitor for PowerShell Remoting sessions from unexpected sources
Track service creation events (Event ID 7045) that may indicate PsExec usage
Alert on remote scheduled task creation

Identity-Based Detection

Authentication Analytics:

Implement User and Entity Behavior Analytics (UEBA) to establish baselines and detect anomalies
Monitor for impossible travel (authentications from geographically distant locations in short timeframes)
Track service account usage outside expected patterns
Alert on authentication to systems that a user has never previously accessed

Key Windows Event IDs for Lateral Movement Detection

Event ID	Log Source	Indicator
4624 (Type 3)	Security	Network logon — potential lateral movement
4624 (Type 10)	Security	Remote interactive logon (RDP)
4648	Security	Logon with explicit credentials (potential PtH)
4768	Security	Kerberos TGT request — baseline for anomalies
4769	Security	Kerberos service ticket request — Kerberoasting detection
4776	Security	NTLM authentication — should be rare in Kerberos environments
5140	Security	Network share access (C$, ADMIN$)
5145	Security	Detailed file share access auditing
7045	System	New service installation (PsExec creates PSEXESVC)
4688	Security	Process creation with command line (requires audit policy)
1 (Sysmon)	Sysmon	Process creation with detailed metadata
3 (Sysmon)	Sysmon	Network connection with process context

How Can Organizations Prevent Lateral Movement?

Prevention of lateral movement requires a defense-in-depth approach that addresses the underlying conditions attackers exploit. No single control eliminates lateral movement, but layered defenses can dramatically increase the cost and difficulty for attackers.

Network Segmentation and Zero Trust

Microsegmentation: Implementing granular network segmentation that restricts communication between systems to only what is explicitly required. In a microsegmented environment, a compromised workstation cannot communicate with other workstations or reach servers outside its authorized communication paths.

Zero Trust Architecture: Adopting zero trust principles that require continuous verification of identity, device health, and context for every access request. Zero trust eliminates the implicit trust that lateral movement exploits, requiring attackers to re-authenticate and re-authorize at every step.

According to Microsoft’s 2024 Digital Defense Report, organisations with mature zero trust implementations experienced 68% fewer lateral movement incidents than those with traditional perimeter-based security architectures.

Credential Hygiene

Tiered Administration Model: Implementing a tiered administration model (also known as the “Red Forest” or Enhanced Security Administrative Environment) that separates administrative credentials into tiers:

Tier	Scope	Credential Usage
Tier 0	Domain Controllers, AD, PKI	Only used on Tier 0 systems; never exposed to lower tiers
Tier 1	Servers, applications	Only used on Tier 1 systems; never exposed to workstations
Tier 2	Workstations, user devices	Standard user and local admin credentials

This model ensures that compromising a Tier 2 workstation does not expose credentials that can be used to access Tier 1 servers or Tier 0 domain controllers.

Additional Credential Protections:

LAPS (Local Administrator Password Solution): Randomize local administrator passwords on every system, eliminating the ability to use one local admin hash across multiple systems
Credential Guard: Windows Credential Guard uses virtualization-based security to isolate credential storage, preventing tools like Mimikatz from extracting hashes from memory
Protected Users Group: AD security group that enforces additional protections on member accounts, including disabling NTLM authentication and preventing credential caching
Managed Service Accounts (gMSAs): Automatically managed service account passwords that eliminate the risk of stale, compromised service account credentials

Privileged Access Management

Just-In-Time (JIT) Access: Instead of permanently assigned administrative privileges, provide elevated access only when needed and only for the duration required. This dramatically reduces the window of opportunity for credential theft.

Privileged Access Workstations (PAWs): Dedicated, hardened workstations used exclusively for administrative tasks. PAWs ensure that administrative credentials are never exposed on standard user workstations that are more likely to be compromised.

What Does Lateral Movement Look Like from a Red Team Perspective?

For professional red teams, lateral movement is both an art and a science. It requires deep technical knowledge combined with operational judgment about which techniques to use, when to move, and how to avoid detection.

Red Team Lateral Movement Methodology

Step 1: Situational Awareness After initial access, the red team conducts internal reconnaissance to understand the network environment:

Enumerate domain structure, trusts, and organizational units
Identify high-value targets (domain controllers, file servers, database servers)
Map network segments and identify communication paths
Run BloodHound to visualize attack paths to Domain Admin

Step 2: Credential Harvesting The red team attempts to obtain additional credentials from the compromised system:

Dump LSASS process memory for cached credentials
Extract credentials from browser stores, password managers, and configuration files
Harvest Kerberos tickets from memory
Search for credentials in scripts, Group Policy Preferences, and network shares

Step 3: Path Selection Using the intelligence gathered, the red team selects the optimal lateral movement path:

Balance speed (shorter paths) against stealth (less monitored paths)
Consider which techniques are most likely to succeed in the target environment
Evaluate detection risk for each potential path
Plan contingencies in case primary paths are blocked or detected

Step 4: Execution The red team executes lateral movement using the selected techniques, adapting in real-time based on the environment’s response. Professional red teams typically employ multiple techniques in combination, such as using Pass-the-Hash for initial movement and then establishing WinRM sessions for persistent access.

Step 5: Consolidation After each successful lateral movement, the red team establishes persistence on the newly compromised system, harvests additional credentials, and expands their map of the environment. This cycle repeats until the red team reaches their objective.

For organisations seeking to understand and test their defenses against lateral movement, RedTeamPartner.com provides expert red team services that replicate sophisticated lateral movement techniques used by real adversaries.

For detailed guidance on how lateral movement testing fits within Swiss cybersecurity regulatory requirements, CybersecuritySwitzerland.ch provides detailed analysis of the Swiss regulatory landscape.

What Are Real-World Examples of Lateral Movement in Major Breaches?

Understanding how lateral movement has been used in high-profile breaches provides context for the techniques described above.

SolarWinds Supply Chain Attack (2020-2021)

The SUNBURST attackers (attributed to Russian SVR) used compromised SolarWinds Orion updates to gain initial access to thousands of organisations. Their lateral movement was notable for its sophistication:

Used SAML token forging to move from on-premises to cloud environments
Used compromised service accounts for API-based lateral movement in Azure
Moved deliberately slowly to avoid behavioral detection, with dwell times exceeding 9 months

Colonial Pipeline (2021)

The DarkSide ransomware group gained access through a compromised VPN credential and then:

Used the VPN access to reach internal systems
Moved laterally through the IT network using RDP and stolen credentials
Reached critical OT (operational technology) network segments
Deployed ransomware across multiple systems in a coordinated lateral movement operation

MOVEit Transfer (2023)

The CL0P ransomware group exploited a zero-day vulnerability in MOVEit Transfer to:

Gain initial access to internet-facing MOVEit servers
Move laterally to connected systems using the MOVEit server’s network access and stored credentials
Access and exfiltrate data from backend databases and file storage systems
The attack affected over 2,500 organisations globally

These examples demonstrate that lateral movement is not a theoretical concern but a practical, consistently exploited phase of real-world attacks.

Frequently Asked Questions About Lateral Movement

What is the difference between lateral movement and privilege escalation? Privilege escalation involves gaining higher-level permissions on a system (such as going from a standard user to administrator on the same machine). Lateral movement involves accessing a different system entirely. In practice, these techniques are often used together: an attacker may need to escalate privileges on one system to obtain credentials that enable lateral movement to another system.

How long does lateral movement typically take? According to CrowdStrike’s 2026 data, the average eCrime breakout time (initial access to first lateral movement) is 29 minutes, down from 48 minutes in 2024. However, this varies enormously by attacker sophistication and target environment. Nation-state actors may take weeks of careful, stealthy movement, while ransomware operators often complete their entire lateral movement in hours.

Can network segmentation stop lateral movement? Network segmentation significantly increases the difficulty of lateral movement but does not eliminate it entirely. Attackers can still move laterally within segments, exploit trust relationships that cross segments, or abuse legitimate cross-segment communication paths. Effective segmentation must be combined with strong authentication controls, monitoring, and credential hygiene.

What is “breakout time” and why does it matter? Breakout time is CrowdStrike’s metric measuring the time between initial access and the first instance of lateral movement. It matters because it defines the window of opportunity for defenders: if your mean time to detect (MTTD) and mean time to respond (MTTR) are longer than the attacker’s breakout time, the attacker will establish broader access before you can contain them.

How does lateral movement work in air-gapped networks? Even networks designed to be air-gapped may have unintentional connections or bridging points. Attackers have used USB drives, compromised maintenance laptops, and shared file transfer systems to bridge air gaps. The Stuxnet attack famously crossed air gaps via infected USB drives. In red team engagements, testing air gap integrity is a specific objective.

What role does Active Directory play in lateral movement? Active Directory is the single most important enabler of lateral movement in enterprise environments. Its centralized authentication, trust relationships, group policies, and credential management mechanisms create the infrastructure that lateral movement exploits. Securing Active Directory is therefore the most impactful single action an organization can take to impede lateral movement.

Lateral movement remains one of the most consequential phases of the attack lifecycle. Organizations that invest in detection and prevention of lateral movement — through network segmentation, credential hygiene, privileged access management, and continuous monitoring — dramatically reduce the potential impact of any initial compromise, transforming what could be a catastrophic breach into a contained security incident.

Sources

CrowdStrike 2026 Global Threat Report — confirms average eCrime breakout time of 29 minutes (2025 data), down from 48 minutes (2024 data) and 62 minutes (2023 data)
CrowdStrike 2025 Global Threat Report — confirms 48-minute breakout time for 2024 data
Mandiant M-Trends 2025 — confirms 26 days dwell time when external entities notified