Lateral movement is how attackers spread from their initial foothold to other systems across a network. Once an intruder compromises a single device or account, they rarely stay put. Instead, they hop from machine to machine, harvesting credentials and escalating access until they reach their real target: sensitive data, critical servers, or administrative controls. As of mid-2025, the average time from initial compromise to the first lateral move has dropped to just 18 minutes, with some attacks achieving it in as few as six.
How Lateral Movement Works
Every lateral movement attack follows a general pattern. First, the attacker gets in, often through a phishing email, an exploited vulnerability, or stolen credentials. At this stage they typically control one low-privilege account on one machine. That’s not very useful on its own, so they begin exploring the network to figure out what else is connected, what accounts exist, and where valuable resources live.
Next comes privilege escalation, which is the process of gaining higher-level access. This can happen horizontally (compromising other accounts at the same privilege level) or vertically (jumping to an account with more permissions, like a domain administrator). These two processes, lateral movement and privilege escalation, feed each other in a loop. Moving to a new machine often exposes new credentials, and those credentials unlock access to yet another machine.
The attacker’s goal is to remain undetected while building a path toward their objective. That objective might be deploying ransomware across every endpoint, exfiltrating a database of customer records, or planting a persistent backdoor for long-term espionage.
Common Techniques Attackers Use
The MITRE ATT&CK framework, a widely referenced catalog of adversary behavior, documents several core techniques under its lateral movement category:
- Pass the Hash / Pass the Ticket: Instead of cracking a password, attackers reuse stolen password hashes or authentication tokens to log in as another user. This bypasses normal access controls entirely because the attacker never needs the actual plaintext password.
- Remote services: Legitimate protocols like RDP (remote desktop), SSH, SMB (file sharing), and WinRM (remote management) are designed to let administrators work across machines. Attackers use the same protocols with stolen credentials, making their traffic look like normal administrative activity.
- Internal spear phishing: Once inside, attackers sometimes send targeted phishing emails from a compromised employee’s real mailbox to trick other employees into handing over their credentials or opening malicious files. These messages are harder to spot because they come from a trusted colleague.
- Remote execution tools: Commands can be run on distant machines through built-in Windows services. Attackers frequently use PsExec (a Microsoft utility for running processes remotely) and PowerShell scripts pushed through management interfaces to execute code without ever sitting at the target machine.
Tools That Enable It
Attackers rely on a toolkit ecosystem to harvest credentials and pivot between systems. Mimikatz is the most well-known credential extraction tool. It pulls passwords, hashes, and authentication tokens directly from a computer’s memory, giving the attacker material to authenticate as other users. Cobalt Strike, originally built as a commercial penetration-testing platform, is heavily abused by real-world threat actors. It packages lateral movement capabilities (pass the hash, remote service execution, remote desktop tunneling) into a point-and-click interface.
Before moving laterally, attackers also run discovery tools to map the network. BloodHound, for example, graphs the relationships between users, groups, and machines in a Windows domain, automatically highlighting the shortest path from a compromised account to a high-value target like a domain administrator. AdFind and PowerView serve a similar reconnaissance purpose, querying the directory for account details and group memberships. The combination of discovery tools and credential harvesters is what makes lateral movement so efficient.
How Fast It Happens
Speed is one of the most striking aspects of modern lateral movement. Data from June through August 2025 shows the average breakout time, the window between initial access and the first lateral move, fell to 18 minutes. That’s a significant drop from 2024, when the fastest recorded breakout was 27 minutes. One attack attributed to the Akira ransomware group completed lateral movement in just six minutes.
This matters because breakout time is essentially the window defenders have to detect and contain an intrusion before it spreads. Once an attacker is on multiple machines, containment becomes exponentially harder. Every additional compromised system gives them another fallback position if one is discovered.
Lateral Movement vs. Privilege Escalation
These two concepts are closely related but distinct. Lateral movement is about geography within the network: moving from Machine A to Machine B. Privilege escalation is about authority: going from a standard user account to an administrator account. In practice they overlap constantly. An attacker might move laterally to a machine where an admin happens to be logged in, then extract that admin’s credentials (privilege escalation), then use those credentials to move laterally to a domain controller. Think of lateral movement as the horizontal axis and privilege escalation as the vertical axis. A successful attack typically zigzags between both.
How Defenders Detect It
Lateral movement is designed to blend in with legitimate network traffic, which makes detection challenging. Several approaches help:
Login pattern analysis is one of the most effective signals. A single account logging into dozens of machines within minutes, or a string of failed login attempts across multiple systems, is a strong indicator that credentials are being tested. Security teams monitor authentication logs for exactly these patterns.
Intrusion detection and prevention systems (IDS/IPS) flag anomalous internal traffic. A spike in alerts from these systems, particularly around protocols like SMB or RDP between machines that don’t normally communicate, can reveal an active lateral movement campaign.
Endpoint detection and response (EDR) tools run on individual machines and watch for suspicious behavior in real time: a process dumping credentials from memory, a remote execution command arriving from an unusual source, or a service being installed that matches known attack tooling. EDR can automatically isolate a compromised endpoint from the network, buying time before the attacker spreads further.
Limiting Lateral Movement With Network Design
The most effective defense is making lateral movement structurally difficult rather than relying solely on detection. A 2024 guidance document from the National Security Agency outlines how Zero Trust architecture achieves this through segmentation at two levels.
Macro segmentation divides the network into broad zones based on business function. An employee in IT, for instance, has no network path to the accounting department’s servers. These boundaries shrink the attack surface by ensuring that compromising one zone doesn’t automatically grant access to another.
Micro segmentation goes further, breaking individual zones into smaller components with strict access policies governing how data flows between them. Even within the same department, a compromised workstation can’t freely reach every other workstation or server. Each connection requires explicit authorization based on identity, device health, and context.
Beyond segmentation, regular patching closes the vulnerabilities attackers exploit to jump between machines. A robust patch management process prioritizes fixes based on how severe the vulnerability is and how critical the affected system is. Many lateral movement techniques rely on known, patchable flaws in remote services, so keeping systems current eliminates some of the easiest paths attackers take.
Together, segmentation, strict access controls, continuous monitoring, and disciplined patching force an attacker to work harder and generate more detectable noise at every step, turning what might be an 18-minute sprint into a prolonged effort that defenders have a real chance of catching.