Lateral Movement Attacks 101

Organizations primarily focus on defending the perimeters of their network and often overlook the security of their internal assets. However, both the effectiveness of your organization's security infrastructure and adversaries' accomplishing their objectives heavily depend on the success of the lateral movement techniques. Studies reveal that although lateral movement techniques take 80% of adversaries' attack time, SIEM products identify these attacks poorly [1]. In fact, another research shows that while 54% of the tactics and techniques used to test lateral movement attacks were missed, 96% percent of lateral movement attack behaviors do not trigger a corresponding alert on security controls [2]. In other words, organizations are fighting almost blindly with lateral movement attacks.

Considering the devastating financial and reputational outcomes of targeted attack campaigns such as cyber espionage, data exfiltration, and ransomware attacks, organizations are to benefit significantly from being prepared against lateral movement attacks. In this blog, we explained what lateral movement is and why lateral movement techniques are a prevalent practice among adversaries. 

Test Your Security Posture Against Lateral Movement Attacks with Picus

What Is Lateral Movement?

Lateral Movement is an umbrella term that refers to a collection of techniques that adversaries use to extend their access and progressively move through the compromised network. It may also help attackers elevate their privileges to the administrator level and gain control of multiple assets within the organization's network to accomplish their objectives.

Sophisticated attackers like Advanced Persistent Threat (APT) actors perform targeted and objective-oriented attack campaigns. Even though these objectives can vary from getting financial gain to harming the reputation of organizations or even countries, every adversary wants a higher impact while staying hidden and persistent in the compromised network. Thus, getting a foothold on the targeted system is only the first step, and a patient-zero - the initially accessed machine - does not provide much to an adversary all by itself. After attackers get initial access via 

• a public-facing server running a vulnerable service, 
• a client computer, or 
• any weak point on the security infrastructure, 

adversaries are unaware of their surroundings. They usually do not have any idea about the organization's infrastructure, which network segment they are currently in, how the compromised host is placed in the organizational environment, which hosts or services are up and running, etc. 

Figure 1. How Do Attackers Get Into the Corporate Network? [3]

Thus, jumping into and compromising other machines within the organization's internal network is only possible through a successful discovery phase. Discovery techniques allow adversaries to harvest critical information about the organization's infrastructure, domain users, machine accounts, servers, group policies, and OS credentials. Gathering this critical information allows adversaries to plan the most effective and stealthy follow-up actions of the lateral movement attack. 

Stages of Lateral Movement

Lateral movement attacks typically have several steps that progressively allow adversaries to expand their reach within a compromised network.  

• Initial Access Stage

The first stage begins once an attacker achieves initial access to a system, which can happen in several ways. They might exploit a vulnerable service running on a public-facing server, compromise a user's workstation through phishing or malware, or take advantage of weak or misconfigured security controls somewhere else in the network. However, gaining this initial foothold is just the very beginning of the attack.

• Discovery Stage

At this early point, attackers are essentially blind inside the environment. They may have successfully compromised a single system, but they typically know little to nothing about where they are in the broader organizational structure. They don't know whether they're on an isolated machine in a demilitarized zone (DMZ), inside a tightly monitored server network, or connected to critical internal systems. They are unaware of the network layout, the systems and services running nearby, the existing user accounts and their privileges, and the defenses that may be in place.

During discovery, they collect critical information about the internal network, including details about domain users, machine accounts, servers, operating systems, and network configurations. This reconnaissance phase is essential for planning further actions without triggering alarms.

• Credential Access and Privilege Escalation Stage

After gathering sufficient information, attackers proceed to credential access and privilege escalation. They aim to harvest user credentials, especially those belonging to privileged accounts like domain administrators. Techniques like OS Credential Dumping, stealing password hashes from the Security Account Manager (SAM) database, or exploiting misconfigurations are often used. The goal at this stage is to obtain higher-level permissions that allow greater control over more systems, broadening the attacker's reach across the network.

• Lateral Movement Stage

With privileged access secured, adversaries then move laterally. This stage involves hopping from system to system within the internal network, exploiting trust relationships between machines or leveraging stolen credentials to access more valuable assets. Each successful lateral move brings attackers closer to critical systems or sensitive data. Along the way, they often establish multiple footholds, ensuring they maintain persistence even if one access point is discovered and closed. Persistence strategies include creating new administrative accounts, implanting backdoors, or refreshing stolen credentials to survive system reboots and security interventions.

• Impact Stage

Finally, adversaries reach the impact phase. By now, they have access to high-value systems and can execute their ultimate objective, whether it's stealing data, encrypting files for ransom, destroying critical information, or causing widespread disruption. Attackers often seek to maximize the damage they cause, for example, by corrupting backups, wiping disk structures, or extending the attack to cloud environments. Throughout the entire process, stealth remains a priority, allowing adversaries to operate undetected for as long as necessary to achieve their goals.

Each of these stages builds upon the previous one, forming a continuous chain that defines the lateral movement attack lifecycle. 

Why Do Adversaries Use Lateral Movement Attacks?

Lateral movement is prevalent in attack campaigns like ransomware and data exfiltration attacks. In fact, a quantitative analysis conducted by VMware, Lateral Movement in the Real World (2022), shows that 45% of intrusions contain a lateral movement event [4]. In this section, we will examine why adversaries leverage lateral movement attacks to learn more about the motivation behind this high statistic.

• Accessing Valuable Assets

As mentioned earlier, APT groups perform goal-oriented actions rather than acting randomly.  Even though these objectives can vary, adversaries aim to achieve them while staying hidden and persistent in the compromised network. Thus, rather than just compromising a single asset, attackers prefer expanding their access through lateral movement techniques in search of the most valuable assets of your organization that contain sensitive information worth selling on the black market or asking for ransom. 

However, there are several obstacles that an adversary has to overcome. If the sensitive information requires privileged access, how does an adversary get to the point of having complete control of the target system and exfiltrate and/or encrypt organization-related information? Well, this is where lateral movement techniques, the star of the show, come into the picture. 

An internal network, also known as an intranet, is a private enterprise local area network (LAN) designed to securely share company information, easier communication, collaboration tools, operational systems, and other computing services within an organization. Intranets can contain highly sensitive information within organizational assets such as network shares, user computers, servers, and directory services. As internal networks are not publicly accessible to clients, getting initial access to a low-privileged network segment like Demilitarized Zone (DMZ) is not enough on its own. 

Hence, after adversaries get their foothold on the compromised machine, they need to expand their access and progressively move through the enterprise (LAN) to find where the most valuable assets, juicy and publicly non-available information resides. 

As targeted attack campaigns like cyber espionage, data exfiltration, and ransomware attacks have a "the more, the merrier" mentality, it is no surprise that adversaries use lateral movement techniques to gain unauthorized access to internal networks to find sensitive information.

• Remaining Persistent

In some cyberattack scenarios, adversaries may need access to the victim's network for an extended period to achieve their objectives. Thus, adversaries perform a collection of lateral movement techniques to maintain their persistence in the network via restarts or change in valid account credentials to survive possible interruptions that are likely to cut off their access to the target network.

For example, compromising a single or low-privileged account may not be enough for an adversary. Users can always change their passwords, domain machines can be isolated by security staff as part of the incident response, or firewall rules and configurations can be updated to protect public-facing servers, machines can be taken down, etc. Hence, gaining second initial access and re-doing everything from scratch is not the most brilliant and practical thing to do. Through lateral movement, adversaries remain persistent and maintain their access to many machines and/or accounts from different network segments and local domains on the compromised network.

The time that adversaries remain persistent on the target system can vary according to their objectives. In a ransomware campaign, adversaries may want to encrypt or exfiltrate files as soon as possible and might not care about remaining stealthy and persistent in the system for a long time. However, in a cyber espionage campaign, adversaries may need to remain persistent for an extended period of time and passively collect critical information. In that case, persistence is vital for the success of the attack.

In fact, some threat actors, especially state-sponsored ones, remain persistent on the target system for years. For instance, CozyBear/APT29, a Russian state-sponsored hacker group, is known for staying persistent for two years on an organization's network. Of course, maintaining access for such a long period of time requires some effort. CozyBear periodically refreshed the valid account credentials to avoid losing their access by stealing the new ones, usually via Mimikatz . 

These examples show that adversaries not only move laterally but also establish persistence in the compromised internal assets.

• Gaining Privileged Accounts and Machines

A typical enterprise network comprises many hosts, services, and users with varying privileges to access sensitive information. Unless they have administrative access to the victim's network, adversaries often need to compromise users and assets with different privileges to achieve their objectives.

Adversaries leverage many lateral movement techniques to dump OS and domain credentials. The motivation behind these techniques is highly correlated with the attacker's objective and the impact they want to create. For instance, if adversaries seek complete control over the internal network and/or gain full access to the organization's directory services and sensitive information, administrative-level accounts are excellent targets for them. For example, the Security Account Manager (SAM) database is often abused in the T1003 OS Credential Dumping technique. To make a quick recap, SAM is a database stored as a file on your local disk containing information related to local accounts, including the username and the hashed password. The SAM file is stored in %systemroot%\system32\config\SAM and is mounted on the HKEY_LOCAL_MACHINE/SAM registry hive. 

In an example attack scenario, upon initial access, adversaries can run customized LDAP queries to extract detailed information about members of the Domain Admins group. This group's members are especially important and must be guarded carefully as they have complete control over all the domain objects, such as AD-joined computers, servers, services, and applications in the entire local domain. Hence, having a list of local admin accounts and machines, adversaries can utilize this list to dump NTLM hashes from the SAM file using registry, in-memory, and volume shadow copy techniques. For detailed information, please visit our blog post on Credential Dumping [5].

Obtaining privileged account credentials can lead to devastating results. For instance, while we were writing this blog post, Uber suffered from a massive data exfiltration attack, which appeared to have compromised all the internal systems of Uber. 

Analysis shows that an 18-year-old hacker launched an MFA fatigue attack by sending too many text messages to one of the Uber employees and tricking them into accepting a multi-factor authentication (MFA) prompt, which allowed the attacker to have VPN access to Uber's internal network [6]. Upon the initial access, the attacker conducted an internal reconnaissance and found a shared network folder. Within that folder, the attacker found some PowerShell scripts that included the administrative credentials for a Privileged Access Management (PAM) tool. Then, using the secrets stored in PAM, the attacker gained access to Uber's critical internal systems, such as the Sentinel incident response platform, Google Cloud Platform, AWS, DUO, OneLogin, and Slack. In addition, the hacker claims that he found highly critical vulnerability reports submitted by the bug bounty program HackerOne. 

Looking at this simple but effective attack path, one cannot help but notice how lateral movement allows an adversary to start from simple initial access and escalate to a point where the attacker has complete control over an organization's critical internal systems.

• Increasing the Impact

While adversaries' goals can vary from disrupting business continuity, harming the victim's reputation, and cyber espionage to financial gain, one thing is common: Adversaries want to create a bigger impact, if possible. And lateral movement techniques are competent for this purpose.

To exemplify this, think of a politically motivated adversary who wants to cause data destruction by irrecoverably rendering files and/or directories through overwriting randomly generated data. However, destroying data on a single asset with limited privileges may not have much of an impact on a large organization. As a result, sophisticated adversaries often move laterally in the network and compromise privileged accounts to have a bigger impact. In fact, there are cases where adversaries get initial access to an on-prem machine and manage to move laterally to an organization's cloud environments (like cloud storage, cloud storage accounts, etc.) to destroy or overwrite randomly generated data to the organization's sensitive data. 

As another data destruction method, adversaries commonly leverage the MITRE ATT&CK T1561.001 Disk Wipe: Disk Structure Wipe technique in the wild [6], [7]. For instance, on January 13, just before the Russo-Ukrainian war started, MSTIC tracked down a Master Boot Records (MBR) Wiper activity originating from Ukraine [8]. The analysis points to a 2-stage destructive malware targeting multiple governmental, non-profit, and information technology organizations in Ukraine. Further investigation shows that the first stage of the malware, stage1.exe, gets executed via Impacket, a collection of Python classes adversaries often use for lateral movement. This part of the malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note, which is nothing but a gimmick. In reality, the malware destructs MBR and the contents of the files it targets. Then, stage2.exe drops a malicious file corrupter malware. Once executed in-memory, the file corrupter malware locates the directories containing files with specific extensions on the target system. If it finds a file with a matching extension, "the corruptor overwrites the contents of the file with a fixed number of 0xCC bytes" [8].

Which Cyber Attacks Use Lateral Movement?

Lateral movement is used in many different types of cyberattacks, especially those that are targeted, complex, and aimed at achieving a specific objective rather than causing immediate, visible damage. 

• Ransomware

One of the most common types of attacks where lateral movement plays a central role is ransomware attacks. In modern ransomware campaigns, attackers no longer simply encrypt a single compromised machine. Instead, they move laterally across the network to identify and access the most valuable systems, such as critical servers or backup repositories. By expanding their reach before launching the encryption phase, attackers can maximize the disruption they cause and demand higher ransom payments.

• Cyber Espionage

Cyber espionage campaigns are another major category where lateral movement is extensively used. In these attacks, adversaries, often state-sponsored groups, seek to remain inside a network for extended periods, quietly gathering sensitive information like intellectual property, confidential communications, or strategic plans. To do this effectively, they must move laterally to locate and access different systems where valuable data resides, all while maintaining a low profile to avoid detection.

• Data Exfiltration

Data exfiltration attacks also heavily rely on lateral movement. In these cases, attackers may initially breach a system with minimal access, such as a low-privileged user account. To reach databases, document repositories, or other storage systems containing the data they want to steal, they must move laterally. This often involves escalating privileges, discovering the network layout, and hopping across various machines until they find their target.

How To Detect And Prevent Lateral Movement Attacks

Briefly, a holistic approach must be followed to defense against lateral movement attacks. In this approach, you need to focus on the whole attack paths instead of atomic lateral movement attacks. An attack path is a route that attackers traverse by exploiting attack vectors to reach their goals. Thus, an attack path includes the sequence of actions in the attack lifecycle of an attacker.

Figure 2. Simplified Attack Paths

Validation of attack paths is essential for determining the actual cybersecurity risk organizations face. It reveals the actions an attacker would likely take to compromise your network, such as exploiting vulnerabilities, moving laterally within a network, gaining elevated privileges, and stealing sensitive data. Picus Attack Path Validation (APV) is a comprehensive solution that enables the elimination of attack paths in production environments. Once you have determined where the risks are, you may begin mitigating them through technological, procedural, and regulatory measures, as well as by constructing an end-to-end risk-based defense.

Best Practices to Prevent Lateral Movement

Preventing lateral movement is a critical part of protecting an organization's internal network once an attacker has bypassed the outer defenses. 

• Network Segmentation

The first best practice is to apply strong network segmentation. By dividing the network into smaller, isolated segments based on business function or sensitivity, you make it much harder for attackers to move freely. If they compromise a machine in one segment, strict controls on communication between segments can limit their ability to reach other parts of the network.

• Least Privilege Principle

Another essential practice is enforcing the principle of least privilege. Users and systems should only have the minimum access necessary to perform their duties. When accounts have unnecessary administrative rights or broad access to sensitive systems, attackers can take advantage of this to escalate their privileges and move laterally. Regularly reviewing and tightening access controls helps reduce these opportunities.

• Prevent Password Reuse

Attackers often steal or reuse passwords to move between systems. Organizations should ensure that administrative accounts are separate from standard user accounts, require multi-factor authentication (MFA) for privileged actions, and prevent the use of shared or default passwords. Monitoring and protecting credential stores, like the Security Account Manager (SAM) database and cached credentials, can also minimize risks.

What Is Next?

So far, we have briefly explained what lateral movement is and why adversaries perform lateral movement techniques as a common practice in their cyberattacks. In addition, we described how adversaries leverage lateral movement techniques to gain unauthorized access to organizations' valuable assets, remain persistent on the compromised network, gain privileged accounts, and increase the impact of their attacks. 

Stay tuned! In the upcoming blog, we will discuss why organizations need to simulate lateral movement attacks.

The Most Frequently Asked Questions About Lateral Movement