Skip to main content
ThreatsXDRSIEMFirewall

What is Lateral Movement?

Lateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, using compromised credentials, exploits, or trusted protocol abuse to reach higher-value targets.

Definition

Lateral Movement
Lateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, using compromised credentials, exploits, or trusted protocol abuse to reach higher-value targets.

How Lateral Movement Works

After establishing an initial foothold via phishing, exploit, or compromised credentials, attackers rarely have immediate access to their ultimate target. Lateral movement bridges the gap. Common techniques: Pass-the-Hash (using captured NTLM hashes without knowing plaintext), Pass-the-Ticket (Kerberos ticket theft and reuse), remote execution tools (PsExec, WMI, PowerShell remoting), legitimate remote protocols (RDP, SSH, VNC), and exploitation of trust relationships between systems.

Attackers try to blend with normal administrative traffic, using the same protocols admins use (SMB, WMI, RDP) but in anomalous patterns: connecting to systems outside normal scope, at unusual hours, or in rapid sequences. Behavioral detection (NDR, UEBA) is more effective than signature detection for lateral movement.

Network segmentation is the primary architectural control: if systems are segmented and only allowed to communicate with required services, a compromised workstation cannot directly reach servers in a different segment.

Lateral Movement in SOC Operations

Lateral movement detection is critical because it represents the attacker expanding access before achieving their objective. Detecting lateral movement early, before the attacker reaches domain controllers, backup systems, or sensitive data stores, dramatically limits blast radius. You investigate by correlating authentication logs, network connections, and remote execution events across multiple hosts to map the movement path.

Free forever

Practice Lateral Movement in a Real SOC

SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating lateral movement scenarios with zero consequences — free forever.

Start Free — No Credit CardTry Shift Mode

Related Terms

Privilege EscalationThreats

Privilege escalation is how an attacker gains higher access rights than initially obtained: standard...

PersistenceThreats

Persistence refers to techniques adversaries use to maintain access across reboots, credential chang...

Command and ControlThreats

Command and Control (C2) refers to the infrastructure and communication channels adversaries use to ...

NDRTools

Network Detection and Response (NDR) is a security platform that passively monitors network traffic ...

Zero TrustConcepts

Zero Trust is a security architecture philosophy based on "never trust, always verify," requiring co...

More Threats Terms

PhishingBrute Force AttackPrivilege EscalationPersistenceCommand and ControlExfiltrationAll Threats

Related SOC Training Resources

Career Path

Threat Hunter Career Guide — Salary & Skills

Threat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…

Read more Career Path

Incident Responder Career Guide — Salary & Skills

Incident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…

Read more Career Path

SOC Analyst (Tier 2) Career Guide — Salary & Skills

Tier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…

Read more Comparison

SOCSimulator vs Hack The Box — Comparison

Different tools for different career paths. SOCSimulator trains defensive analysts. Hack The Box trains offensive securi…

Read more Comparison

SOCSimulator vs TryHackMe — Comparison

SOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…

Read more Tool

XDR Training Console — SOCSimulator

The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…

Read more Tool

SIEM Training Console — SOCSimulator

The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…

Read more Tool

Firewall Training Console — SOCSimulator

The Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…

Read more Technique

MITRE ATT&CK Techniques — Detection Training Library

Browse all MITRE ATT&CK techniques with detection strategies and example alerts.

Read more Career Path

Cybersecurity Career Paths — 2026 Guide

Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.

Read more Playbook

SOC Investigation Playbooks — Step-by-Step Guides

Practitioner investigation playbooks with decision trees and real SIEM queries.

Read more Feature

Shift Mode — Real-Time SOC Simulation

Practice alert triage under realistic time pressure with SLA timers and noise injection.

Read more

We use cookies to improve your experience and measure usage. Learn more