L
Lateral Movement
Techniques attackers use to move through a network after initial compromise, accessing additional systems and data.
What is Lateral Movement?
Lateral movement refers to techniques attackers use to progressively move through a network in search of key assets and data after gaining initial access. This is a critical phase where attackers expand their foothold within the target environment.
Why Attackers Move Laterally
- Initial compromise rarely reaches valuable targets
- Need to find and access sensitive data
- Establish multiple points of persistence
- Locate privileged accounts and systems
- Avoid detection by distributing presence
Common Techniques
Credential-based:
- Pass-the-Hash
- Pass-the-Ticket (Kerberos)
- Credential dumping
- Stolen credentials reuse
Remote Execution:
- PsExec and similar tools
- Windows Remote Management (WinRM)
- Remote Desktop Protocol (RDP)
- SSH
Exploitation:
- Internal vulnerability exploitation
- Abuse of trust relationships
- Application-specific attacks
Detection Strategies
- Monitor authentication logs
- Track unusual administrative tool usage
- Watch for anomalous network connections
- Implement user behavior analytics
- Deploy honeypots and deception
Prevention
- Network segmentation
- Least privilege access
- Multi-factor authentication
- Credential hygiene
- Regular password rotation