Lateral movement (MITRE ATT&CK Tactic TA0008) is how attackers expand their foothold after gaining initial access to a network. Once inside, adversaries rarely find their target on the first compromised host. Instead, they move laterally, from system to system, to discover high-value assets, escalate privileges, and position themselves to achieve their objective, whether that is data exfiltration, ransomware deployment, or long-term espionage. Detecting lateral movement requires correlated visibility across endpoints, network traffic, and identity systems, because these techniques deliberately exploit legitimate tools and protocols to blend with normal administrative activity.
This guide examines the most prevalent lateral movement techniques catalogued in the MITRE ATT&CK framework, explains why they are difficult to detect, and provides data-source-specific detection strategies that security teams can implement immediately.
What Is Lateral Movement in the MITRE ATT&CK Framework?
In the MITRE ATT&CK framework, Lateral Movement is Tactic TA0008, a collection of techniques adversaries use to enter and control remote systems on a network. Lateral movement sits in the middle of the attack chain, occurring after the attacker has already achieved:
- Initial Access (TA0001): Gaining a first foothold in the environment via phishing, exploitation, or compromised credentials
- Execution (TA0002): Running malicious code on the initially compromised host
- Persistence (TA0003): Establishing mechanisms to survive reboots and credential changes
- Privilege Escalation (TA0004): Obtaining higher-level permissions needed to move laterally
- Credential Access (TA0006): Harvesting credentials that enable authentication to remote systems
Lateral movement is the bridge between the initial compromise and the attacker's ultimate objective. Without lateral movement, most attacks stall on a single low-value endpoint. With it, attackers can reach domain controllers, database servers, file shares containing sensitive data, and the backup infrastructure they need to disable before deploying ransomware.
The techniques within TA0008 are among the most operationally significant for defenders because they represent the phase where a contained incident becomes an enterprise-wide breach.
What Are the Most Common Lateral Movement Techniques?
MITRE ATT&CK catalogues nine lateral movement techniques, each with multiple sub-techniques. The following are the most frequently observed in real-world attacks.
T1021: Remote Services
Remote Services is the most prevalent lateral movement technique because it exploits the same tools and protocols that legitimate administrators use daily.
T1021.001: Remote Desktop Protocol (RDP): Attackers use compromised credentials or session hijacking to establish RDP connections to target systems. RDP provides full graphical access, making it a preferred method for interactive lateral movement. Attackers may enable RDP on systems where it is disabled by modifying the registry remotely.
T1021.002: SMB/Windows Admin Shares: Windows administrative shares (C$, ADMIN$, IPC$) provide remote file system access to administrators. Tools like PsExec, Impacket's smbexec, and wmiexec use SMB to copy payloads to remote systems and execute them. This technique is central to ransomware deployment, where attackers use SMB to distribute encryption payloads across many systems simultaneously.
T1021.004: SSH: In Linux and Unix environments, attackers use stolen SSH keys or compromised credentials to move between systems. SSH key reuse across systems means compromising a single host's private key can unlock access to many others.
T1021.006: Windows Remote Management (WinRM): WinRM provides command-line remote access via the WS-Management protocol. PowerShell Remoting uses WinRM as its transport, making it a powerful lateral movement tool that is often enabled by default in enterprise environments.
T1550: Use Alternate Authentication Material
These techniques allow attackers to authenticate without knowing the actual plaintext password.
T1550.002: Pass the Hash (PtH): In Windows environments, NTLM authentication allows authentication using a password hash rather than the plaintext password. Attackers who dump NTLM hashes from memory (using tools like Mimikatz) can use those hashes directly to authenticate to remote systems. This is particularly dangerous because changing the user's password does not invalidate existing hash-based sessions until the hash is updated.
T1550.003: Pass the Ticket (PtT): In Kerberos environments, attackers steal Ticket Granting Tickets (TGTs) or service tickets from memory and inject them into their own session. Golden Ticket attacks, where the attacker compromises the KRBTGT account hash, allow the creation of forged tickets that grant unrestricted access to any resource in the domain.
T1570: Lateral Tool Transfer
Once attackers have established access to multiple systems, they transfer tools, scripts, and payloads between compromised hosts using existing access channels. This avoids the need to download tools from external infrastructure (which may trigger network-based detections). Common transfer methods include SMB file copies, RDP clipboard and drive mapping, and PowerShell file transfer functions.
T1563: Remote Service Session Hijacking
T1563.001: SSH Hijacking: Attackers with root access on a system can hijack existing SSH sessions by injecting commands into the SSH agent socket. This allows movement to remote systems without needing the user's credentials.
T1563.002: RDP Hijacking: On Windows systems, attackers with SYSTEM privileges can hijack disconnected RDP sessions using the tscon command. This reconnects a disconnected session without requiring the original user's password, providing access under that user's identity.
T1072: Software Deployment Tools
Enterprise software deployment tools are designed to push configurations, scripts, and software to thousands of endpoints simultaneously. When attackers compromise these tools, they gain a built-in lateral movement capability at enterprise scale.
System Center Configuration Manager (SCCM/MECM): Attackers with SCCM administrator access can deploy arbitrary scripts or applications to any managed endpoint. SCCM's trusted position in the environment means its actions are rarely scrutinised by security tools.
Group Policy Objects (GPOs): Attackers with sufficient Active Directory privileges can create or modify GPOs to deploy scheduled tasks, startup scripts, or software installations across domain-joined systems. GPO-based lateral movement is particularly stealthy because Group Policy is a core Windows infrastructure component.
T1210: Exploitation of Remote Services
Rather than using valid credentials, attackers exploit vulnerabilities in remote services to execute code on target systems. Recent examples include EternalBlue (MS17-010) for SMB, BlueKeep (CVE-2019-0708) for RDP, and various vulnerabilities in enterprise management platforms. This technique does not require prior credential access, making it valuable in the early stages of lateral movement before the attacker has harvested credentials.
Why Is Lateral Movement Difficult to Detect?
Lateral movement is considered one of the most challenging attack phases to detect for several fundamental reasons.
Legitimate tools and protocols. Lateral movement techniques use the same tools and protocols that IT administrators use daily: RDP, SMB, SSH, WinRM, PowerShell Remoting, SCCM, and Group Policy. There is no inherently malicious payload to detect. The difference between an administrator deploying a patch via SCCM and an attacker deploying ransomware via SCCM is intent, not technology.
Blends with administrative activity. In any enterprise environment, there are legitimate RDP connections, SMB file transfers, and remote PowerShell sessions happening constantly. Lateral movement traffic is a signal hidden in the noise of normal operations. Without baseline understanding of what constitutes normal remote access patterns for each user and system, distinguishing malicious from legitimate activity is extremely difficult.
Endpoint-only tools miss network-level patterns. An EDR agent on Host A can see that a process was executed, but it cannot independently see that the process was triggered by an SMB connection from Host B, or that Host B itself was compromised 10 minutes earlier. The lateral movement chain spans multiple hosts, and endpoint-focused tools have visibility limited to a single host at a time.
Network-only tools miss identity context. An NDR appliance can detect an RDP connection from Host A to Host B, but it cannot determine whether the credentials used were legitimate, stolen, or forged. Without identity and authentication context, network-level detection generates excessive false positives because it cannot distinguish between authorised administrative access and attacker lateral movement.
Identity-based attacks are invisible to traditional NDR. Pass the Hash, Pass the Ticket, and Kerberoasting attacks occur within the authentication protocol itself. Network monitoring tools that inspect traffic flows but do not deeply parse authentication protocols will miss these techniques entirely.
This is why effective lateral movement detection requires correlated visibility across endpoint telemetry, network traffic, and identity and authentication events simultaneously.
How Should You Detect Lateral Movement by Data Source?
Rather than attempting to detect lateral movement with a single tool, security teams should build detection strategies around the data sources available to them.
Endpoint Telemetry
Endpoint telemetry provides visibility into what happens on individual hosts before, during, and after lateral movement.
| Detection Target | Data Source | What to Look For | |---|---|---| | Credential dumping | Process creation, API calls | LSASS memory access (e.g., Mimikatz, procdump), SAM database queries, DCSync via DRS replication | | Suspicious process execution | Process creation logs | PsExec, wmiexec, smbexec service creation on target hosts; processes spawned by wmiprvse.exe or wsmprovhost.exe | | Remote service enablement | Registry modifications | RDP enabled via registry (fDenyTSConnections = 0), WinRM configuration changes | | Tool transfer | File creation events | Executable files created in temp directories, admin shares, or user profile paths by remote processes | | Scheduled task creation | Windows Event ID 4698 | Tasks created remotely, especially those executing scripts or binaries from unusual paths |
Network Traffic
Network telemetry reveals the connections between systems and the patterns of lateral movement.
| Detection Target | Data Source | What to Look For | |---|---|---| | Unusual SMB connections | NetFlow, packet metadata | Workstation-to-workstation SMB (not workstation-to-server); SMB to systems that a source host has never connected to before | | RDP anomalies | NetFlow, connection logs | RDP from servers to workstations (reverse of normal pattern); RDP from hosts that are not designated admin jump boxes | | East-west traffic spikes | NetFlow volume analysis | Sudden increases in internal traffic volume from a single host, especially to many destinations (port scanning, mass SMB connections) | | Beaconing patterns | Connection timing analysis | Regular, periodic connections from compromised hosts to internal command-and-control relay points | | Named pipe communication | SMB traffic inspection | Named pipes associated with PsExec (PSEXESVC), Cobalt Strike (default named pipes), and other lateral movement tools |
Identity and Authentication
Identity telemetry reveals the abuse of credentials and authentication protocols that power lateral movement.
| Detection Target | Data Source | What to Look For | |---|---|---| | Impossible travel | Authentication logs | Same user account authenticating from two geographically distant locations within a timeframe that makes physical travel impossible | | Service account anomalies | Kerberos and NTLM logs | Service accounts authenticating from new hosts, authenticating interactively (Type 2/10) instead of as a service (Type 5), or accessing resources outside their established pattern | | Kerberos anomalies | Windows Event IDs 4768, 4769, 4771 | Ticket requests for unusual SPNs (Kerberoasting), tickets with abnormally long lifetimes (Golden Ticket), RC4 encryption in environments that should use AES | | Pass the Hash indicators | NTLM authentication logs | NTLM authentication where the source host is not the host where the account password was last changed; NTLM used where Kerberos should be available | | Anomalous logon patterns | Windows Event IDs 4624, 4625 | Logon Type 3 (network) or Type 10 (remote interactive) from unexpected source hosts; high volumes of failed logons followed by success |
How Does SenseOn Detect Lateral Movement?
SenseOn's architecture is specifically designed to solve the lateral movement detection challenge that individual security tools cannot address alone.
The SenseOn agent is deployed on each endpoint but collects both endpoint telemetry and network flow data from the same vantage point. This means that a single sensor sees process execution, file operations, registry changes, authentication events, and network connections: all correlated at the source. There is no need to merge data from separate EDR, NDR, and identity tools after the fact.
The cross-domain correlation engine processes this unified telemetry using three complementary analytical approaches:
- Supervised learning detects known lateral movement patterns: PsExec service creation, Mimikatz memory access patterns, known named pipes, and established tool signatures.
- Unsupervised learning establishes baselines for normal remote access behaviour per user, per host, and per network segment. It then flags deviations, a finance workstation suddenly initiating SMB connections to engineering servers, or a service account authenticating from a host it has never used before.
- Deep learning analyses temporal sequences of events across multiple hosts to identify lateral movement chains that no individual event would flag as suspicious.
Example detection chain: SenseOn detects LSASS memory access on Host A (credential dumping), followed 4 minutes later by an RDP connection from Host A to Host B using credentials that were not previously used from Host A, followed by enumeration commands (net group "domain admins") and file access to a sensitive share on Host B. The cross-domain correlation engine correlates these events across two hosts and three data sources, endpoint, network, and identity, and presents them as a single lateral movement incident with full attack chain context, rather than three separate low-confidence alerts.
This cross-layer correlation is what enables SenseOn to detect lateral movement with high confidence while minimising false positives. The platform achieved 0 false positives in AV-Comparatives testing, demonstrating that correlated multi-source analysis can deliver accuracy that individual tools cannot match.
How Can You Prevent and Harden Against Lateral Movement?
Detection is essential, but prevention and hardening measures reduce the attack surface that adversaries can exploit for lateral movement.
Network segmentation. Divide your network into zones based on function and sensitivity. Place workstations, servers, and critical infrastructure in separate segments with firewall rules that restrict unnecessary cross-segment communication. Micro-segmentation extends this concept to individual workloads in cloud and virtualised environments.
Least privilege access. Remove local administrator rights from standard user accounts. Administrators should use separate, dedicated accounts for administrative tasks, never the same account they use for email and web browsing. Implement just-in-time (JIT) access that grants elevated privileges only when needed and revokes them automatically.
Privileged Access Management (PAM). Deploy a PAM solution to vault, rotate, and audit privileged credentials. PAM reduces the risk of credential theft by ensuring that administrative passwords are unique per system, rotated frequently, and never stored in memory longer than necessary.
Disable unnecessary remote services. If a system does not require RDP, disable it. If WinRM is not needed for management, disable it. Every enabled remote access protocol is a potential lateral movement vector. Audit your environment for remote services that are enabled by default but not operationally required.
Local Administrator Password Solution (LAPS). Deploy Microsoft LAPS (or a third-party equivalent) to ensure that every system has a unique local administrator password. Without LAPS, a single compromised local admin hash can be reused across every system where the same password is set, a common scenario in environments that use imaging or scripted deployments.
Credential Guard and Protected Users. Enable Windows Credential Guard to protect NTLM hashes and Kerberos tickets in a virtualisation-based security enclave. Add high-value accounts to the Protected Users security group, which enforces Kerberos-only authentication and prevents credential caching.
Monitor and restrict NTLM. Where possible, enforce Kerberos authentication and restrict NTLM. NTLM is inherently vulnerable to relay and pass-the-hash attacks. Audit NTLM usage in your environment to identify applications that still require it, then plan migration to Kerberos or certificate-based authentication.
Secure software deployment tools. SCCM, GPO, and other deployment tools should be treated as Tier 0 assets, equivalent to domain controllers in terms of security sensitivity. Restrict administrative access, enable thorough audit logging, and monitor for unauthorised use.
For additional context on how lateral movement fits within the broader MITRE ATT&CK framework, see our guides on Reconnaissance Techniques and Initial Access Techniques.
Frequently Asked Questions
What is lateral movement in cybersecurity?
Lateral movement is the set of techniques attackers use to move through a network after gaining initial access. Catalogued under MITRE ATT&CK Tactic TA0008, lateral movement enables adversaries to expand their foothold, discover high-value targets, and position themselves to achieve their ultimate objective: whether that is data exfiltration, ransomware deployment, or espionage. Lateral movement typically uses legitimate remote access protocols and valid credentials, making it difficult to distinguish from normal administrative activity.
Why is lateral movement hard to detect with traditional security tools?
Traditional security tools struggle with lateral movement because it exploits legitimate protocols (RDP, SMB, SSH, WinRM) and often uses valid credentials. Endpoint-only tools see process execution but miss network-level movement patterns. Network-only tools see connection metadata but lack the endpoint context to determine whether a connection is malicious. Identity-focused tools detect authentication anomalies but cannot see what happens after authentication. Effective detection requires correlated visibility across all three data sources simultaneously.
What are the most common lateral movement techniques?
The most prevalent lateral movement techniques include Remote Services (T1021), particularly RDP and SMB/Windows Admin Shares, Use of Alternate Authentication Material such as Pass the Hash and Pass the Ticket (T1550), Lateral Tool Transfer (T1570), and Exploitation of Remote Services (T1210). In enterprise environments, abuse of Software Deployment Tools like SCCM and Group Policy (T1072) is also common because these tools have built-in capabilities to execute code across many systems simultaneously.
How does network segmentation prevent lateral movement?
Network segmentation divides the network into isolated zones based on function, sensitivity, or trust level. By restricting which systems can communicate with each other, segmentation limits an attacker's ability to move freely after compromising a single host. Even if an attacker gains access to a workstation in one segment, they cannot directly reach servers in a different segment without traversing a security control point such as a firewall. Micro-segmentation extends this concept to individual workloads.
Can lateral movement be detected in real time?
Yes, lateral movement can be detected in real time when security platforms have correlated visibility across endpoint, network, and identity telemetry. SenseOn's cross-domain correlation correlates signals from all three sources simultaneously, for example, detecting credential dumping on one host, followed by an RDP connection to another host, followed by anomalous file access, and presents this as a single correlated lateral movement chain rather than isolated alerts.
Related reading:
