Lateral Movement
Lateral Movement refers to the techniques used by an attacker to move across a network, accessing additional systems, accounts, and data after compromising an initial host.
This step is crucial in post-exploitation because it allows adversaries to expand their access, escalate privileges, harvest credentials, and ultimately reach high-value targets like domain controllers, critical servers, or sensitive data repositories.
π§ Why Lateral Movement Mattersβ
Initial compromise is often limited to:
- A single workstation or endpoint
- A low-privileged domain user
- A segmented network zone
Lateral movement helps attackers:
- Bypass network segmentation
- Move from user to admin accounts
- Access additional credentials (token theft, harvesting)
- Reach crown-jewel assets (Active Directory, databases, file servers)
It transforms a single compromised node into domain-wide compromise.
π Core Techniquesβ
π Credential Abuseβ
- Pass-the-Hash (PtH) β Use stolen NTLM hashes to authenticate without plaintext password.
- Pass-the-Ticket (PtT) β Use forged or stolen Kerberos TGT/TGS tickets.
- Over-Pass-the-Hash β Combine NTLM credentials to request Kerberos tickets.
- Token Impersonation β Duplicate existing access tokens for impersonation.
π Protocol-Based Movementβ
- SMB / WMI / WinRM β Remote code execution on Windows systems
- RDP β Full GUI session into another system
- PsExec β Remote service creation to launch executables
- SSH β Primary movement vector on Linux systems
π§ Application Layer & Living-off-the-Landβ
- Scheduled Tasks β Set tasks on remote systems to run payloads
- Service Creation β Register and start services that run attacker code
- DLL Injection / Process Hollowing β For stealthy code execution on remote machines
- PowerShell Remoting β
Invoke-Command,Enter-PSSessionfor remote ops
π§ͺ Common Tools for Lateral Movementβ
| Tool | Platform | Notes |
|---|---|---|
| PsExec | Windows | Fast, noisy, EDR monitored |
| WMIExec.py | Windows | Python-based alternative |
| CrackMapExec | Windows | Swiss army knife for SMB/WinRM/RDP |
| Impacket suite | Windows | smbexec, wmiexec, atexec, dcomexec, etc. |
| Sliver / Cobalt Strike | Cross-platform | Beaconing C2s that support lateral ops |
| SSH (native) | Linux | With stolen keys, .ssh/authorized_keys |
| Ansible / SaltStack | Linux | If internal automation tools can be hijacked |
π Typical Workflowβ
Initial Access
β
Credential Dumping (e.g., LSASS, SAM)
β
Token/Theft/Harvesting (e.g., mimikatz, SharpHound)
β
Lateral Movement via SMB/WMI/RDP/SSH
β
Post-access Credential Dumping on New Hosts
β
Privilege Escalation β Repeat or Persist
π§ OPSEC Considerationsβ
Lateral movement is high-risk from a detection standpoint:
- Endpoint Detection and Response (EDR) tools often monitor:
- PsExec patterns
- Remote service creation
- Admin share access (e.g.,
C$,ADMIN$) - WMI and WinRM execution
- Logs to monitor:
Security.evtx(event ID 4624, 4672)- PowerShell logs (event ID 4104)
- Sysmon logs (network connections, process creation)
π Evasion Tipsβ
- Use in-memory execution (e.g., BOFs, reflectively loaded DLLs)
- Rename known tooling binaries
- Abandon PsExec in favor of
wmiexec.pyor C2-native features - Stagger traffic and simulate user behavior
π§ Where Lateral Movement Fitsβ
Initial Access β Execution β Post-Ex Recon β Privilege Escalation β [ Lateral Movement ] β Credential Dumping β Objectives
It's often iterative, repeated as you discover more users, more systems, and gather more credentials.
π Summaryβ
Lateral movement isn't just a pathwayβit's how red teamers and adversaries conquer networks. Without it, you're just a squatter on a box. With it, you're a threat actor expanding your territory.
Whether it's a domain controller or a Linux bastion host, lateral movement is how you reach your real targets.