Lateral movement describes the techniques an attacker uses to navigate through a network after gaining an initial foothold by moving from one compromised system to others in order to reach more valuable targets (such as domain controllers, file servers, or databases).
Once inside, an attacker will enumerate the local system for stored credentials, cached tokens, or configuration files that grant access elsewhere. Common techniques include pass-the-hash and pass-the-ticket attacks, which allow an attacker to authenticate to other systems using captured credential material without ever knowing the underlying password. NTLM authentication in particular has long been a reliable vector for this kind of credential reuse, which is one reason disabling legacy NTLM protocols remains an important hardening step.
Attackers frequently rely on tools and protocols that are already present in a Windows environment, including Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI), PsExec, and PowerShell remoting. Because these are legitimate administrative tools, their use blends in with normal operational traffic, making lateral movement difficult to detect without robust logging and behavioural monitoring in place. This approach is commonly referred to as “living off the land”.
As an attacker moves laterally they build up a picture of the network and escalate their privileges progressively until they reach their objective. In Active Directory environments, reaching a domain controller typically represents a full compromise of the entire organisation’s identity infrastructure in most cases.
Most real-world data breaches involve lateral movement where the initial intrusion (whether through phishing, an exposed vulnerability, or compromised credentials) gives the attacker a foothold that is often on a low-value endpoint. The actual impact of an attack (exfiltration of sensitive data, deployment of ransomware, or sabotage of critical systems) happens after lateral movement has taken place. Perimeter security alone is insufficient as once an attacker is inside the internal network needs to be treated as untrusted.
Internal penetration testing specifically assesses how far an attacker could move within your environment after gaining a foothold, and is the most direct way to understand your exposure to lateral movement techniques. Red team engagements go further by simulating full multi-stage attack campaigns that include lateral movement alongside social engineering and physical access, to test whether your security operations team can detect and contain an attack in progress.