Lateral Movement
What is Lateral Movement?
Lateral MovementThe MITRE ATT&CK tactic (TA0008) covering techniques that let an attacker pivot from one compromised host to others across the environment.
Lateral Movement (MITRE ATT&CK tactic TA0008) groups techniques attackers use to expand their foothold by moving from an initial host to other systems, accounts, or cloud tenants. Common techniques include pass-the-hash, pass-the-ticket, overpass-the-hash, RDP and SSH hijacking, exploiting remote services (SMB, WinRM, WMI, PsExec), abusing tools like Cobalt Strike, and replaying valid OAuth or SAML tokens against cloud APIs. Lateral movement is often the loudest stage of an intrusion in terms of telemetry because it crosses host boundaries. Defenders rely on network segmentation, identity tiering, just-in-time admin, MFA on remote protocols, EDR correlation across hosts, and Sigma/MDE detections for SMB and RPC pivots.
● Examples
- 01
Using pass-the-hash with a captured NTLM hash to authenticate to a file server.
- 02
Stealing an RDP session cookie to jump from a workstation to a jump box.
● Frequently asked questions
What is Lateral Movement?
The MITRE ATT&CK tactic (TA0008) covering techniques that let an attacker pivot from one compromised host to others across the environment. It belongs to the Defense & Operations category of cybersecurity.
What does Lateral Movement mean?
The MITRE ATT&CK tactic (TA0008) covering techniques that let an attacker pivot from one compromised host to others across the environment.
How does Lateral Movement work?
Lateral Movement (MITRE ATT&CK tactic TA0008) groups techniques attackers use to expand their foothold by moving from an initial host to other systems, accounts, or cloud tenants. Common techniques include pass-the-hash, pass-the-ticket, overpass-the-hash, RDP and SSH hijacking, exploiting remote services (SMB, WinRM, WMI, PsExec), abusing tools like Cobalt Strike, and replaying valid OAuth or SAML tokens against cloud APIs. Lateral movement is often the loudest stage of an intrusion in terms of telemetry because it crosses host boundaries. Defenders rely on network segmentation, identity tiering, just-in-time admin, MFA on remote protocols, EDR correlation across hosts, and Sigma/MDE detections for SMB and RPC pivots.
How do you defend against Lateral Movement?
Defences for Lateral Movement typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Lateral Movement?
Common alternative names include: Pivoting, Internal movement.
● Related terms
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 229
Credential Access
The MITRE ATT&CK tactic (TA0006) that covers techniques used to steal account names, passwords, tokens, and other secrets.
- defense-ops№ 193
Cobalt Strike
A commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
- defense-ops№ 325
Discovery (MITRE Tactic)
The MITRE ATT&CK tactic (TA0007) covering techniques attackers use to learn about a compromised environment after gaining access.
- network-security№ 723
Network Segmentation
The practice of splitting a network into multiple zones with controlled traffic between them to contain breaches and enforce least privilege.
● See also
- № 107BloodHound
- № 790Pass-the-Hash
- № 1088SSH Agent Forwarding
- № 293Deception Technology