Lateral Movement

Overview

Lateral movement uses compromised credentials, hashes, or tokens to access additional systems in the network. After gaining initial access and harvesting credentials, lateral movement expands control — from a single workstation to file servers, database servers, domain controllers, and ultimately domain-wide compromise. The choice of technique depends on available credentials, network access, and detection considerations.

Topics in This Section

• PsExec and WMI
• WinRM
• DCOM
• RDP Hijacking
• SSH Lateral Movement

General Approach

1. Identify targets — use enumeration data (shares, sessions, logged-on users) to find high-value targets
2. Choose technique — match the technique to available credentials and detection posture
3. Authenticate — use password, NTLM hash (pass-the-hash), or Kerberos ticket (pass-the-ticket)
4. Execute — run commands, deploy tools, or establish persistent access
5. Harvest — extract credentials from the new system and repeat