The SolarWinds attackers were inside US government networks for nine months. They didn't get everything in one shot - they moved, pivoted, escalated, and spread. By the time anyone noticed, they'd reached the most sensitive systems in multiple federal agencies. Initial access wasn't the attack. It was just the door.

That's lateral movement in action, and it's where most breaches actually happen.

What Lateral Movement Actually Is

Lateral movement is the set of techniques attackers use to progressively expand their access after they've established an initial foothold. They start with one compromised account or endpoint - often a low-privilege one - and methodically work their way toward the assets they actually want: domain controllers, databases, file shares, backup systems.

The term "lateral" is deliberate. Movement isn't just vertical (gaining more privileges). It's horizontal across your network - jumping from workstation to server, from one department's systems to another, from on-premises infrastructure into cloud environments.

According to IBM's 2024 Cost of a Data Breach Report, attackers dwell in networks for an average of 194 days before detection. That's six months of lateral movement, undetected. By the time you find them, they've mapped your environment more thoroughly than most of your own IT staff.

Why Initial Access Is Just the Beginning

Think about what attackers typically compromise first: a phishing victim's email account. A contractor's VPN credentials. An internet-facing server running outdated software. These entry points are useful but rarely the endgame.

The crown jewels - Active Directory, production databases, financial systems, customer data - sit deeper in the network. Getting to them requires navigating your environment, finding the paths between systems, and accumulating the credentials and privileges needed to open each door.

This is why stopping attackers at the perimeter isn't enough. Once they're in, they shift into reconnaissance mode. They're asking: What domain am I joined to? What other systems are on this network? Who are the high-value users? Where are the file shares? Where's the domain controller?

Tools like BloodHound automate exactly this kind of Active Directory mapping. An attacker runs it once and gets a complete graph of privilege relationships across your entire domain, including the shortest path to domain admin. It takes minutes. Your defenders rarely have that kind of visibility.

Common Lateral Movement Techniques

Pass-the-Hash and Pass-the-Ticket

When attackers compromise a Windows machine, they often don't need the actual password. They need the hash.

Pass-the-hash abuses the NTLM authentication protocol. Windows stores password hashes in memory, and tools like mimikatz can extract them. Once you have a hash, you can authenticate as that user without ever knowing their password. It's been a known technique since 1997. It still works in 2026 because so many environments still rely on NTLM.

Pass-the-ticket does the same thing but with Kerberos tickets. Specifically, Golden Ticket attacks - where attackers compromise the krbtgt account hash - let them forge Kerberos tickets for any user in the domain, including accounts that don't exist. A Golden Ticket can persist for years because it doesn't rely on any real account being active.

RDP and SMB Abuse

Remote Desktop Protocol (RDP) and Server Message Block (SMB) are legitimate administrative tools that attackers love repurposing.

RDP lets attackers log into systems graphically with valid (or stolen) credentials. Once they have an account with remote desktop rights, they can pivot interactively to any machine that allows RDP. Many organizations have RDP enabled broadly across internal systems for convenience, with no monitoring on who's connecting to what.

SMB is the protocol behind Windows file sharing and administrative shares. Attackers use it to move files between systems, execute code remotely, and authenticate using harvested credentials. SMB relay attacks let attackers intercept and relay authentication attempts without cracking any credentials at all.

PsExec, WMI, and WinRM

These three are the workhorses of living off the land lateral movement - using Microsoft's own tools for malicious purposes.

PsExec is a legitimate Sysinternals tool that runs processes on remote systems. Attackers love it because it's signed by Microsoft, often whitelisted by security tools, and leaves a specific but recognizable artifact pattern that many teams miss.

Windows Management Instrumentation (WMI) lets you execute commands and scripts on remote machines through normal Windows administrative channels. wmic /node:TARGET process call create "cmd.exe /c command" runs a command on a remote system. It's built into every Windows installation.

WinRM (Windows Remote Management) is PowerShell remoting. Invoke-Command -ComputerName TARGET -ScriptBlock { ... } executes arbitrary code on remote systems. Again, built in, legitimate, hard to distinguish from administrative activity without context.

Token Manipulation

Windows access tokens represent the security context of running processes. If you can steal or impersonate a token belonging to a more privileged user, you inherit their access rights.

Techniques like token impersonation let attackers running as a standard user elevate to SYSTEM or steal the context of a domain admin who has an active session on the same machine. mimikatz's sekurlsa::logonpasswords module goes further, dumping credentials from LSASS memory for every user who's logged into the system - including domain admins accessing servers for routine administration.

Living Off the Land Binaries (LOLBins)

LOLBins - legitimate Windows binaries abused for malicious purposes - are increasingly the tool of choice for sophisticated attackers. The reason is simple: they're already on the system, they're often trusted by security tools, and their use blends in with normal administrative noise.

Common examples:

The MITRE ATT&CK framework documents over 60 known LOLBins under the T1218 category. If your detection relies on blocking unknown executables, you're not catching any of these.

Real-World Examples

SolarWinds (2020) - The Nobelium APT group (attributed to SVR, Russian foreign intelligence) injected malicious code into SolarWinds Orion updates, compromising roughly 18,000 organizations. But the code itself was just the door. Once inside target networks, they performed careful lateral movement over months - mimicking normal SolarWinds traffic patterns, using legitimate credentials harvested from each environment, and pivoting specifically toward identity infrastructure and email systems. The sophistication wasn't in the initial exploit. It was in the patient, low-and-slow lateral movement that kept them invisible.

NotPetya (2017) - What made NotPetya so catastrophic wasn't just the EternalBlue SMB exploit (stolen NSA tooling). It was the combination with Mimikatz credential harvesting. NotPetya would land on one machine, steal every credential in memory, and use those credentials to spread via SMB and WMI to every other machine those credentials could reach. Maersk lost roughly $300 million and had to reinstall 45,000 PCs and 4,000 servers. The entire Maersk network was accessible from a single point of entry in Ukraine because of flat network architecture and a treasury of credential material in memory.

Target Breach (2013) - 40 million credit card numbers stolen via a third-party HVAC vendor. The vendor had legitimate network access for remote monitoring. Attackers compromised the vendor, used that access to reach Target's internal network, then moved laterally to the point-of-sale systems. The initial access had nothing to do with payment systems. Lateral movement connected the dots.

How to Detect and Defend

Network Segmentation

This is the highest-leverage control against lateral movement. If your finance systems can't talk to your manufacturing floor, and your marketing workstations can't reach your production servers, you've contained the blast radius before anything happens.

Start with your most sensitive assets. Place them in protected segments with explicit allow-lists for what can communicate with them. Review firewall rules quarterly - most organizations accumulate years of "temporary" rules that never get cleaned up, and attackers find them.

Micro-segmentation takes this further, applying controls at the workload level inside segments. East-west traffic between servers should be as scrutinized as north-south traffic crossing your perimeter.

Privileged Access Management

Most lateral movement depends on harvesting and abusing privileged credentials. Reduce the target.

Just-in-time (JIT) access means admin rights are granted for specific tasks and revoked automatically. Domain admin credentials aren't sitting in memory on workstations, waiting for mimikatz. Implement JIT through Microsoft Entra Privileged Identity Management (PIM) for cloud and hybrid environments.

Dedicated privileged access workstations (PAWs) separate administrative tasks from daily work. Admins don't browse the web or read email on the same machine they use to manage domain controllers.

Eliminate standing local admin rights on workstations. Use Microsoft Local Administrator Password Solution (LAPS) to randomize local admin passwords across your fleet - it eliminates pass-the-hash attacks that rely on shared local admin credentials.

EDR and XDR Monitoring

Lateral movement leaves behavioral signatures that signature-based detection misses. Endpoint Detection and Response (EDR) tools watch for:

Extended Detection and Response (XDR) correlates these signals across endpoints, identity, and network. A single event looks benign. Correlated across sources, the pattern becomes obvious.

Microsoft Ecosystem: Defender for Identity and Entra ID

If you're in a Microsoft environment, you have purpose-built tools for this.

Microsoft Defender for Identity monitors Active Directory for lateral movement indicators: pass-the-hash, pass-the-ticket, Golden Ticket attacks, unusual Kerberos ticket requests, reconnaissance activity. It understands normal authentication patterns for your environment and alerts on deviations. It also creates a user entity behavior analytics (UEBA) baseline, so when an account starts authenticating to unusual systems, you know about it.

Entra ID Conditional Access can block authentication from non-compliant devices, unusual locations, or high-risk sign-in contexts. Combined with continuous access evaluation, it revokes sessions in near-real-time when risk signals change.

Deception Technology

Honeypots and deception assets turn the attacker's reconnaissance against them. A fake admin account, a fake file share called "Passwords", a fake domain controller - any attacker touching these generates a high-fidelity alert with virtually no false positives.

Deception is particularly effective against lateral movement because the techniques attackers use (network scanning, credential harvesting, accessing administrative shares) are exactly the behaviors that will stumble across deception assets.

Putting It Together with CSPM

Lateral movement often exploits misconfigurations that defenders don't know exist: overprivileged service accounts, excessive role assignments in Entra ID, misconfigured network security groups that allow unnecessary east-west traffic. SecValley's CSPM platform provides continuous visibility across your Microsoft 365, Entra ID, and Azure environments - surfacing the identity and network configuration gaps that attackers map during reconnaissance, before they can exploit them.

The Uncomfortable Truth

Initial access gets all the attention. Lateral movement does the damage.

An attacker who lands on a receptionist's workstation and stays there is a minor incident. That same attacker who spends three weeks moving through your network before you notice - reaching your backups, your domain controllers, your customer data - is a catastrophe.

The techniques aren't exotic. Pass-the-hash, WMI execution, LOLBins - these have been in attacker toolkits for a decade. The organizations that contain breaches quickly are the ones that reduced the attacker's freedom of movement before the incident, not the ones scrambling to understand their own network topology after the alarm goes off.