loading
Loading content
loading
Lateral movement is the phase after the first foothold, where an attacker expands across a network instead of staying on the initial box. The first machine compromised is rarely the goal; it is a launch point toward domain controllers, databases, or the systems holding the data worth taking. Operators reuse harvested credentials, abuse Kerberos tickets, ride existing trust relationships, and lean on built-in admin tooling like WMI, PsExec, and remote PowerShell so the activity blends into normal traffic.
The phase matters to both sides. For attackers and red teams it converts one exploit into network-wide access. For defenders it offers a detection window: each hop generates authentication events and remote-execution artifacts that, correlated well, expose the movement before it reaches the crown jewels. Segmentation, credential hygiene, and least privilege all aim to make each hop harder.
Lateral movement runs alongside privilege escalation, since higher rights open more reachable hosts, and depends on network mapping to know where to go next. The hands-on technique of routing through a foothold is pivoting, and the full chain anchors most red teaming operations.
In a Trickest workflow the reconnaissance side supplies the host and service map that an operator uses to plan movement, while the execution stays an interactive, scoped engagement decision.
Related terms