Initial access is rarely the end goal of an attack. It’s just the starting point.
Once attackers establish persistence inside a network, their next objective is expansion. They move from the original compromised system to additional hosts, identities, and services until they reach something valuable.
This stage is known as lateral movement.
In modern hybrid environments, lateral movement often happens quietly. Attackers use legitimate credentials, approved tools, and normal administrative protocols.
From the outside, nothing appears broken.
But inside the network, the attacker is steadily widening control.
Why Lateral Movement Is Hard to Detect
Traditional defenses are designed to stop attackers at the perimeter or detect malware on endpoints.
Lateral movement rarely triggers either control. Attackers move internally using tools and behaviors that resemble normal administrative activity. They often rely on built-in protocols like SMB, RDP, and PowerShell, or legitimate remote management utilities.
Each individual action can appear harmless.
Viewed in isolation, it looks like routine IT activity.
Viewed together, it reveals an intrusion unfolding across the environment.
1. How Attackers Begin Moving Inside the Network
The first step in lateral movement is reconnaissance.
Attackers begin by asking the environment simple questions. Systems often provide these answers automatically.
They start by confirming identity privileges and group memberships, identifying domain structures, and mapping visible systems or shared resources.
Their goal is to build a shortlist of potential targets.
Active Directory often becomes the focal point of this discovery process because it exposes relationships between users, groups, and systems.
Tools such as ADScan or AdFind allow attackers to query Active Directory directly. Others rely on BloodHound, which maps identity relationships and highlights privilege escalation paths inside the domain.
These tools transform identity infrastructure into an attack roadmap.
2. Expanding Access Through Credential Theft
Once attackers understand the environment, they start collecting credentials.
Many intrusions rely on credential reuse rather than exploiting new vulnerabilities.
Attackers search compromised systems for:
- cached credentials
- Kerberos tickets
- stored authentication tokens
- active sessions on servers
Tools such as Mimikatz can extract passwords, NTLM hashes, and Kerberos tickets directly from memory on compromised hosts. Each recovered credential increases the attacker’s reach. More identities mean more systems to explore.
3. Remote Execution: The Moment Lateral Movement Begins
Lateral movement truly begins once attackers execute commands on a second system. At this point they confirm three things:
- the target system is reachable
- the stolen credentials provide sufficient privileges
- remote execution is possible
Attackers rarely need custom malware to accomplish this.
They often rely on legitimate administrative tools such as:
- PsExec to execute commands remotely
- RDP to log into another system interactively
- SMB admin shares to copy files or launch processes
Frameworks like Cobalt Strike or Brute Ratel automate many of these actions, allowing attackers to control multiple compromised systems simultaneously.
From the defender’s perspective, these actions can look identical to legitimate system administration.
4. Pivoting Across the Network
Once attackers gain access to additional systems, they repeat the process.
From each new vantage point they perform further discovery, looking for:
- domain controllers
- identity infrastructure
- sensitive repositories
- privileged accounts
Every new system provides additional credentials and network visibility.
This iterative process continues until attackers reach the systems they ultimately want to control.
That may be identity infrastructure, cloud environments, or data repositories.
At that point, the attacker effectively controls the environment.
Modern Access Models Are Changing Lateral Movement
Modern IT access models are making lateral movement easier.
Tools designed to simplify infrastructure access can also simplify attacker movement once an identity is compromised.
For example: Platforms like Teleport centralize infrastructure access through identity-based authentication. If attackers compromise the right account, they may inherit access to large portions of the environment.
Similarly, networking platforms like Tailscale create secure connectivity paths between devices without relying on traditional VPN infrastructure.
When attackers gain control of one of these identities or devices, they may gain access to systems that were never directly exposed to the internet.
In other words, access architectures designed for convenience can become powerful lateral movement channels.
Why Traditional Security Tools Struggle Here
Most defensive tools analyze isolated signals.
EDR focuses on endpoint behavior. IAM platforms focus on authentication. Network security tools focus on perimeter activity.
Lateral movement often occurs between these layers.
Attackers use legitimate credentials, native protocols, and approved administrative tools. Activity appears authorized, encrypted, and policy-compliant.
Nothing looks obviously malicious. Until you analyze behavior across the environment.
What Detecting Lateral Movement Actually Requires
Detecting lateral movement requires visibility into how identities behave across the network. SOC teams should look for patterns such as:
- abnormal remote execution between systems
- unusual identity activity across multiple hosts
- repeated authentication across systems in short timeframes
- internal reconnaissance activity
- credential reuse patterns that expand rapidly across infrastructure
These behaviors reveal attacker movement even when individual actions appear legitimate.
Detection must focus on behavior chains, not isolated alerts.
How the Vectra AI Platform Detects Attacker Movement Across the Network
Lateral movement rarely involves obvious malware. Attackers typically rely on legitimate credentials and approved administrative protocols. Remote execution tools, file shares, and identity services are used exactly as administrators would use them.
Viewed individually, these actions appear authorized.
The Vectra AI Platform analyzes how identities interact with systems across the network to identify the patterns that indicate attacker expansion. Credential reuse across multiple hosts, abnormal remote execution paths, and internal reconnaissance activity expose when an identity is being used to traverse the environment.
By correlating network traffic with identity behavior, the platform reconstructs attacker movement across hybrid infrastructure. This allows SOC teams to see how a compromise spreads from one system to another and intervene before the attacker reaches domain control, sensitive data, or ransomware deployment.
Instead of chasing isolated alerts, analysts can follow the attacker’s path through the network.
Vos prochaines étapes
By the time attackers begin moving laterally, the intrusion is already well underway.
At this stage they reuse credentials, execute commands remotely, and pivot from one system to another until they reach identity infrastructure, sensitive data, or systems that allow them to launch ransomware.
In Attack Lab Episode 3: Lateral Movement – How attackers move in the network, we walk through how modern attackers expand control inside hybrid environments using legitimate administrative tools and stolen identities.
Watch the session to see how lateral movement actually unfolds in real intrusions and how SOC teams can detect attacker behavior before the compromise spreads across the environment.
To understand the full attacker journey, you can also explore the other Attack Lab sessions covering Initial Access and Persistence, which show how these intrusions begin and how attackers establish long-term footholds.
---
*Citation du livre de Vinny Troia "Grey Area : Dark Web Data Collection and the Future of OSINT" (La collecte de données sur le web sombre et l'avenir de l'OSINT)