Views

Lateral Movement

1 Global Definition

Lateral Movement is the process attackers use after compromising one machine in a network to spread to other systems and gain deeper access. It allows adversaries to expand control, locate sensitive data, escalate privileges, and establish persistence. This stage is a critical step in the post-exploitation phase of the cyber kill chain.

1.1 Key Concepts

  • Pivoting: Using a compromised system as a launchpad to access other internal resources.
  • Credential Reuse: Harvesting stolen usernames/passwords to authenticate into new systems.
  • Pass-the-Hash: Using NTLM hash values directly without knowing the plaintext password.
  • Remote Execution: Running commands on other systems through legitimate services (e.g., SMB, RDP, WMI).
  • Persistence: Ensuring continued access even if the original entry point is removed.

1.2 Common Techniques

  1. Windows Admin Shares: Attackers exploit SMB shares like C$ or ADMIN$ to copy tools and execute them remotely.
  2. Remote Desktop Protocol (RDP): Gaining access to other hosts by brute forcing or using stolen credentials.
  3. Windows Management Instrumentation (WMI): Executing commands remotely across Windows systems.
  4. Remote PowerShell: Leveraging PowerShell remoting to manage or compromise other systems.
  5. Unix/Linux Lateral Movement: Using SSH keys or reusing weak credentials.

1.3 Tools & Frameworks

  • Mimikatz: Extracts plaintext passwords, hashes, and Kerberos tickets from memory.
  • Impacket: A Python toolkit with modules for SMB, Kerberos, and remote execution.
  • BloodHound: Maps Active Directory relationships to identify attack paths.
  • PsExec: Sysinternals tool often abused for remote code execution over SMB.
  • Empire: Post-exploitation framework supporting PowerShell and Python agents for lateral movement.

1.4 Defense & Detection

  • Implement network segmentation so attackers can’t easily pivot between systems.
  • Use SIEM to correlate unusual authentication patterns.
  • Enable multi-factor authentication (MFA) to reduce credential reuse attacks.
  • Deploy honeypot accounts to detect when attackers attempt unauthorized lateral logins.
  • Monitor remote execution tools (PsExec, WMI, RDP) for abnormal use.

1.5 Why It Matters

Lateral Movement is how attackers transform a single compromised machine into a network-wide breach. Once inside, they aim to access domain controllers, critical servers, or sensitive databases. Detecting and disrupting lateral movement early can prevent ransomware deployment, insider threat abuse, and large-scale data exfiltration.

1.6 Practical Examples

Example 1 – Using PsExec to Move Laterally


  psexec \\192.168.1.20 -u Admin -p Password123 cmd.exe
  

This command tries to open a remote command prompt on 192.168.1.20 using stolen credentials. If successful, the attacker can run commands as the Admin user.

Example 2 – Pass-the-Hash Attack


  impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 \
  [email protected]
  

Here the attacker doesn’t know the password. Instead, they use a stolen NTLM hash to authenticate against another host.

Example 3 – PowerShell Remoting


  Enter-PSSession -ComputerName FILESERVER -Credential DOMAIN\User
  

With valid domain credentials, an attacker can open a remote PowerShell session to manage or compromise another server.

Example 4 – Linux SSH Key Reuse


  ssh -i id_rsa [email protected]
  

If attackers steal a private key file (id_rsa), they can authenticate into another Linux server without needing a password.

Example 5 – BloodHound Attack Path

BloodHound may reveal that a low-privileged user has indirect rights leading to Domain Admin. Example path:

  • User A can RDP into Server B
  • Server B has cached Domain Admin credentials
  • Attacker extracts creds β†’ escalates to Domain Admin

Share and Join the Discussion

You need to be logged in to participate in this discussion.

×
×