Lateral Movement
1 Global Definition
Lateral Movement is the process attackers use after compromising one machine in a network to spread to other systems and gain deeper access. It allows adversaries to expand control, locate sensitive data, escalate privileges, and establish persistence. This stage is a critical step in the post-exploitation phase of the cyber kill chain.
1.1 Key Concepts
- Pivoting: Using a compromised system as a launchpad to access other internal resources.
- Credential Reuse: Harvesting stolen usernames/passwords to authenticate into new systems.
- Pass-the-Hash: Using NTLM hash values directly without knowing the plaintext password.
- Remote Execution: Running commands on other systems through legitimate services (e.g., SMB, RDP, WMI).
- Persistence: Ensuring continued access even if the original entry point is removed.
1.2 Common Techniques
- Windows Admin Shares: Attackers exploit SMB shares like
C$orADMIN$to copy tools and execute them remotely. - Remote Desktop Protocol (RDP): Gaining access to other hosts by brute forcing or using stolen credentials.
- Windows Management Instrumentation (WMI): Executing commands remotely across Windows systems.
- Remote PowerShell: Leveraging PowerShell remoting to manage or compromise other systems.
- Unix/Linux Lateral Movement: Using SSH keys or reusing weak credentials.
1.3 Tools & Frameworks
- Mimikatz: Extracts plaintext passwords, hashes, and Kerberos tickets from memory.
- Impacket: A Python toolkit with modules for SMB, Kerberos, and remote execution.
- BloodHound: Maps Active Directory relationships to identify attack paths.
- PsExec: Sysinternals tool often abused for remote code execution over SMB.
- Empire: Post-exploitation framework supporting PowerShell and Python agents for lateral movement.
1.4 Defense & Detection
- Implement network segmentation so attackers canβt easily pivot between systems.
- Use SIEM to correlate unusual authentication patterns.
- Enable multi-factor authentication (MFA) to reduce credential reuse attacks.
- Deploy honeypot accounts to detect when attackers attempt unauthorized lateral logins.
- Monitor remote execution tools (PsExec, WMI, RDP) for abnormal use.
1.5 Why It Matters
Lateral Movement is how attackers transform a single compromised machine into a network-wide breach. Once inside, they aim to access domain controllers, critical servers, or sensitive databases. Detecting and disrupting lateral movement early can prevent ransomware deployment, insider threat abuse, and large-scale data exfiltration.
1.6 Practical Examples
Example 1 β Using PsExec to Move Laterally
psexec \\192.168.1.20 -u Admin -p Password123 cmd.exe
This command tries to open a remote command prompt on 192.168.1.20
using stolen credentials.
If successful, the attacker can run commands as the Admin user.
Example 2 β Pass-the-Hash Attack
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 \
[email protected]
Here the attacker doesnβt know the password. Instead, they use a stolen NTLM hash to authenticate against another host.
Example 3 β PowerShell Remoting
Enter-PSSession -ComputerName FILESERVER -Credential DOMAIN\User
With valid domain credentials, an attacker can open a remote PowerShell session to manage or compromise another server.
Example 4 β Linux SSH Key Reuse
ssh -i id_rsa [email protected]
If attackers steal a private key file (id_rsa), they can authenticate into another Linux server without needing a password.
Example 5 β BloodHound Attack Path
BloodHound may reveal that a low-privileged user has indirect rights leading to Domain Admin. Example path:
- User A can RDP into Server B
- Server B has cached Domain Admin credentials
- Attacker extracts creds β escalates to Domain Admin