← All terms
Lateral Movement

What is Lateral Movement?

Lateral movement is how attackers expand from one compromised system to others, reusing credentials and trust relationships to reach valuable targets.

Last updated: 15 July 2026

How lateral movement works

Initial access rarely lands an attacker where the value is. A phished workstation or a brute-forced edge server is a starting point; the data, backups and domain controllers live elsewhere. Lateral movement is the phase in which the attacker turns one foothold into many, hopping between systems until they reach their objective.

The mechanics rely overwhelmingly on legitimate functionality rather than exploits. Attackers harvest credentials cached on the first machine, passwords, hashes, Kerberos tickets, SSH keys and session tokens, and reuse them over normal administration channels such as remote desktop, SMB, remote management frameworks and SSH. Each new system yields fresh credentials, often more privileged than the last, and the cycle repeats. Because the traffic looks like routine administration, this phase can continue for weeks without triggering alarms.

Why it matters

The gap between one compromised laptop and a full-domain ransomware event is lateral movement. Stopping it determines whether an incident is a contained cleanup or a company-wide crisis. Analyses of major intrusions consistently show attackers spending most of their dwell time in this phase, mapping the network and accumulating credentials before acting.

Flat networks and standing administrative access are what make it cheap. When one local administrator password is reused across hundreds of endpoints, or when domain admins log into ordinary workstations and leave credentials in memory, each hop costs the attacker almost nothing. Conversely, environments that segment networks and eliminate standing privilege force attackers into noisy, detectable behavior.

How to limit lateral movement

Defense aims to make every hop expensive. Network segmentation and host firewalls remove direct workstation-to-workstation paths and restrict administration to dedicated channels. Unique local administrator passwords per machine stop one credential from opening an entire fleet, and tiered administration keeps domain-level credentials off lower-trust systems where they could be harvested.

Privileged access controls compound these gains: vaulted credentials that users never see cannot be stolen from their machines, just-in-time elevation means there is often no standing admin access to abuse, and routing administrative sessions through a recorded gateway such as Monopam creates both a chokepoint and an audit trail. Detection then watches for the movement itself: logons between unusual system pairs, credential use outside normal hours and administration tools appearing on machines that never ran them.

Frequently asked questions

Is lateral movement always preceded by privilege escalation?
Not necessarily; the two interleave. An attacker may move laterally with ordinary user credentials to reach a system where escalation is possible, then use the elevated rights to move further. Breaking either link, blocking the hops or denying the escalation, disrupts the whole chain.
Why is lateral movement hard to detect?
Because it uses the same protocols, tools and credentials as legitimate administration. A remote desktop logon with valid credentials is normal in isolation; it becomes suspicious only in context, such as an account touching systems it never used before. Detection therefore depends on baselining normal behavior and correlating events across systems.