Ymir Vigfusson
May 20, 2025
Cybersecurity threats don’t stand still - they move. The battle for your network is often won or lost through lateral movement stratagems. Attackers don’t just breach one system and call it a day; they pivot, escalate, and weave through your infrastructure like a predator hunting prey. Their goal? To find the most critical systems, steal your most valuable data, and leave you unaware to strike again another day.
These attacks are stealthy, often blending in with legitimate activity, which makes detecting them incredibly challenging. But understanding how attackers move and the techniques they use is the first step toward stopping them. That’s why we’re diving into these 9 key lateral movement techniques - not to intimidate, but to illuminate the breadth of the challenge we all face in securing modern networks.
These aren’t just theoretical risks - they've been used in real-world campaigns that disrupted businesses, compromised sensitive data, and left defenders playing catch-up. By examining these lateral movement techniques in detail, we’ll help you recognize the vulnerabilities attackers exploit and the limitations of traditional defenses. Because in the fight against advanced adversaries, knowledge (and technique) is power.
After gaining initial access (“land”), lateral movement refers to the suite of techniques adversaries use to move through a network (“expand”) aiming to escalate privileges, and access sensitive data.
Below is a list of 9 classes of lateral movement techniques which are aligned with the MITRE ATT&CK Matrix. Each is described with typical mitigation, real-world examples, and associated risks.
Attackers target vulnerabilities in remote services like SMB to execute code on systems remotely, often without authentication. Using pre-authentication exploits such as EternalBlue, attackers send malicious packets to vulnerable endpoints, triggering remote code execution.
As a means of easily moving between servers, this method was instrumental in the WannaCry ransomware campaign, where SMBv1 flaws allowed malware to propagate across networks unchecked. Exploiting remote services not only facilitates lateral movement but also enables attackers to deliver payloads, escalate privileges, and establish persistent access.
The more protocols are exposed between devices, the more attack surface there is to defend, and thus potential for attacks after an attacker lands on their first machine. Defending against remote service exploitation often begins with patch management and disabling these unused protocols. While tools like IDS and IPS can flag suspicious activity, they rely heavily on accurate configuration and ongoing maintenance to remain effective. Legacy systems that cannot be updated compound the problem, creating blind spots attackers can exploit.
Even when defenses are in place, the sheer volume of network traffic can make it difficult to distinguish between legitimate and malicious activity, requiring potentially slow triaging procedure by the SOC that can allow attackers to evade detection.
Once attackers compromise an internal account, they send phishing emails to the colleagues of the victim, leveraging trust to bypass traditional security measures. These emails could requests for direct access to resources or password resets, and may even include malicious attachments or links designed to deploy malware or harvest credentials.
Emotet famously used this technique, exploiting the familiarity of internal communications to propagate within organizations. By blending into legitimate email traffic, attackers evade external filtering solutions, making detection and containment more difficult.
Email security solutions and employee training are the first lines of defense, but they are anything but foolproof. Attackers constantly adapt their tactics, using increasingly convincing messages that trick even well-trained employees.
Internal spear phishing bypasses traditional perimeter defenses entirely, leaving organizations reliant on anomaly detection within their internal network. Such methods are inherently reactive, meaning the damage is already done by the time the attack is identified. The linchpin of modern cybersecurity programs lies in “shifting left” towards proactive defense and countermeasures instead of reactive forensics.
Credential dumping tools such as Mimikatz extract sensitive authentication data directly from memory or security databases. By targeting the LSASS process on Windows systems, attackers retrieve plaintext passwords, NTLM hashes, and Kerberos tickets. These credentials are often sufficient to provide access to other sensitive resources, known as “passing the hash” (see below).
Credential dumping techniques enable adversaries to move laterally by authenticating as legitimate employees. For example, the APT28 group further utilized Mimikatz to produce "Golden Tickets", forging Kerberos tickets that provide unrestricted access to Active Directory environments and thus the keys to the kingdom.
Restricting access to LSASS memory and implementing tools like Credential Guard can reduce the risk of credential dumping, but they don’t eliminate it. Attackers frequently find ways to bypass these safeguards, particularly in environments with misconfigured permissions, open defaults, or outdated defenses. Disabling or isolating protocols that cannot be reliably used with second factor authentication or solutions with stronger security solutions is advised. Logging and monitoring tools can alert teams to suspicious activity, but they often generate overwhelming amounts of data, making it hard to identify actionable threats before an attacker escalates their privileges.
Attackers compromise RDP sessions by intercepting session tokens or using stolen credentials to take control of an active session. This approach allows them to blend in with legitimate employee activity while executing commands, deploying malware, or exfiltrating data. Carbanak’s use of RDP hijacking exemplifies this technique’s effectiveness, enabling them to manipulate banking systems remotely. Poorly configured RDP settings, such as lack of MFA or unrestricted access, make environments especially vulnerable.
Multi-factor authentication (MFA) and strict network access controls are essential for securing RDP sessions, but they aren’t universally implemented. Attackers often exploit environments where RDP access is required for operational reasons, making it difficult to enforce restrictive policies.
Session monitoring tools can detect hijacking attempts, but their effectiveness depends on the accuracy of baselines for normal behavior, which can vary significantly across organizations.
Pass-the-hash (PtH) attacks exploit NTLM hash values to authenticate as a legitimate authorized person without needing the plaintext password - the hash value can be used in lieu of a password. Attackers often obtain these hashes through credential dumping and then use them to access systems via protocols like SMB or RDP.
The attacker leverages PtH attacks to pivot across networks, bypassing password complexity requirements and authentication mechanisms. This technique is particularly effective in environments with shared local administrator credentials.
Mitigating PtH attacks requires isolating high-value systems, enforcing unique credentials across endpoints, and disabling NTLM authentication where possible. However, legacy systems and operational requirements often prevent complete implementation of these measures.
Even with these controls, attackers can use advanced evasion techniques to blend PtH activity with normal network traffic, delaying detection and response.
In pass-the-ticket (PtT) attacks, adversaries steal Kerberos tickets from a system's memory and reuse them to access resources. Tools like Mimikatz facilitate this process by extracting ticket-granting tickets (TGTs) or service tickets.
Once injected, these tickets bypass authentication checks, allowing attackers to move laterally undetected. APT29’s use of PtT attacks highlights their efficacy in environments with weak Kerberos monitoring, enabling long-term persistence.
Monitoring Kerberos traffic and reducing ticket lifetime are critical steps, but these measures are rarely enough on their own. Attackers can still operate within the validity window of stolen tickets, making real-time detection essential.
Advanced solutions attempt to analyze behavioral anomalies within authentication patterns, but they often require significant expertise and resources to deploy effectively. The risk of false positives is unfortunately high. This leaves gaps that attackers exploit to persist undetected.
Attackers use USB drives preloaded with malware to infiltrate isolated or air-gapped systems. When a person inserts one of the compromised drives, autorun scripts or manually executed files deploy malicious payloads. Stuxnet demonstrated this method’s potential, leveraging infected USB drives to compromise industrial control systems. This technique bypasses network-based defenses, relying on physical access and human error to spread.
Restricting USB port usage through device control policies can reduce risk, but operational needs often limit strict enforcement. Even with these controls, attackers exploit social engineering to trick staff into bypassing security protocols. Air-gapped systems, believed to be secure but nonetheless require data to move between computers, remain vulnerable to these attacks unless additional physical and process controls are in place.
Shared network folders often serve as unintended attack vectors. Adversaries plant malicious files disguised as legitimate documents, tricking your employees into downloading and executing them. The DarkHotel group utilized this approach, embedding spyware in shared folders to target high-value individuals. Misconfigured folder permissions and inadequate file integrity monitoring amplify the risk, enabling malware to proliferate across connected systems.
Enforcing strict permissions and regularly auditing shared folder contents are necessary but challenging, especially in large organizations. Attackers often exploit the difficulty of balancing collaboration with security, embedding malicious files in high-traffic locations. While file integrity monitoring tools can detect changes, they are only as effective as the rules governing them, leaving room for subtle, undetected tampering.
In supply chain attacks, adversaries compromise trusted software distributors to insert malicious code into legitimate updates. Your employees and contractors unknowingly install these updates, deploying malware across their systems. By believing they are acting with a good security posture by patching, they are actually doing quite the opposite.
The NotPetya attack exploited M.E.Doc’s software update mechanism, spreading destructive payloads globally. These attacks exploit the inherent trust that employees and administrators place in software vendors, making them particularly insidious and hard to detect.
Verification of software updates through cryptographic signing and secure distribution channels is a standard defense against supply chain attacks. Yet, attackers often compromise these processes directly at the source, bypassing these measures entirely. An elaborate takeover of the maintenance of the open-source xv/liblzma project on which the ubiquitous OpenSSH remote access software depended demonstrated how backdoors could be implanted by supposedly truthworthy actors.
Organizations that rely on third-party software face the challenge of vetting every vendor’s security practices, which is time-consuming and often incomplete. Even when issues are detected, the damage may already be widespread, making mitigation a reactive rather than proactive process.
Blocking lateral movement isn’t just a technical challenge - it’s a battle of awareness, strategy, and persistence.Moreover, as you can see on the figure, it is a bottleneck for attackers: denying the relatively few strategies of lateral movement available to adversaries can prevent the “expand” after the “land”. By understanding the 9 techniques, you’re equipping yourself with the insights needed to understand, detect, mitigate, and respond to some of the most widely exploited vectors in cybersecurity.
If you want to go deeper into defending your networks, check out these valuable resources:
Understanding the enemy’s playbook is how we stay one step ahead. Let’s make it harder for attackers to move, pivot, and succeed. Dive in, stay vigilant, and protect what matters.
We would be remiss if we didn't mention how Keystrike solves these challenges. Instead of building on quicksand with constantly adapting attacks, we’ve solved the problem by securing user sessions to prevent many of the attacks described here. Click here to find out how to block lateral movement by attackers.
Try Keystrike in Your Environment for 30 Days
