Lateral movement
Definition
Attacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access valuable data, or establish persistence. Tracing lateral movement requires correlating authentication logs, network flows, and endpoint telemetry across multiple systems.
Related terms
- Living-off-the-land (LotL)
- An attack approach where the adversary uses tools and binaries already present on the target system, such as PowerShell, WMI, certutil, or...
- MITRE ATT&CK
- A publicly available knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. Maintained by the MITRE Corporation. Techniques...
- Anomaly-based IDS
- An intrusion detection system that models normal traffic behaviour and alerts when observed traffic deviates significantly from that baseline. Detects novel attacks...
- Anti-forensic technique
- Any action taken by an attacker to destroy, conceal, or alter evidence of their activity. Common examples include log clearing, timestomping, use...
- Blast radius
- The full set of systems, accounts, and data that an attacker has accessed or could access given their current level of compromise....
- Corroboration
- The practice of confirming an observed attacker action by finding evidence of the same action in at least two independent data sources,...
- Credential dumping
- Extraction of authentication credentials from operating system memory, the Windows SAM database, Active Directory, or credential stores. Tools such as Mimikatz target...
- Credential stuffing
- An automated attack that replays username-password pairs from previous data breaches against new target services, exploiting the widespread reuse of passwords across...
- Cyber Kill Chain
- A seven-phase linear model of an intrusion developed by Lockheed Martin in 2011. The phases are: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command...
- Declaration threshold
- The criteria defined in an organisation's IR plan that a suspected event must meet before it is formally declared a confirmed incident,...
- Dwell time
- The period between an attacker gaining initial access and their detection. Reducing dwell time is a primary goal of threat hunting. The...
- Five-tuple
- The five fields that uniquely identify a network flow: source IP address, source port, destination IP address, destination port, and transport protocol...
Explained in these topics
- Common Attack Techniques and Tactics, Techniques and ProceduresTechniques that allow an attacker to move from a compromised system to other systems on the same network. Examples include pass-the-hash, pass-the-ticket, remo...
- Firewall and Intrusion Detection Log AnalysisAttacker activity after initial access, in which the attacker moves from a compromised host to other internal systems. Visible in firewall logs as permit entri...
- Hacking and Unauthorised Access OffencesActivity in which an attacker moves from an initially compromised host to other systems within the same network, typically using valid credentials or exploitat...
- Scoping and Confirming an IncidentAttacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access va...
- The Cyber Attack LifecycleThe phase in which an attacker who has gained an initial foothold moves through the network to reach higher-value systems. Techniques include pass-the-hash, pa...