Internal Network & Active Directory · intermediate · ~11 min
Explain how attackers move between hosts and why segmentation matters.
Lateral movement reuses credentials/hashes/tickets over legitimate admin channels (SMB, WinRM, RDP, WMI, pass-the-hash/ticket) to hop host-to-host toward a DC. Segmentation should contain it; testing reachability between subnets is a core internal deliverable.
Lateral movement is how one foothold becomes full compromise, and because it uses legitimate tools it evades signature detection. Segmentation and tiered admin are the structural defenses, and testing them is an explicit engagement goal.
Movement channels. SMB/PsExec, WinRM, RDP, WMI; PtH/PtT. Blends in. Legitimate admin tools → needs behavioural detection. Fuel. Open shares, stored creds. Segmentation. Contain breach across zones; test reachability. Defenses. Tiered admin, LAPS, host firewalls.
Lateral movement is using access on one host to reach another, repeating until you hit a high-value target (often a DC). It's how a single foothold becomes domain compromise.
With valid credentials or hashes/tickets, you authenticate to other machines using legitimate admin channels:
Because these are legitimate admin tools, movement blends into normal traffic — which is why behavioural detection matters.
Open SMB shares, scripts with embedded passwords, and credential files harvested along the way fuel each hop.
A flat network lets one foothold reach everything. Network segmentation (VLANs, firewall rules between zones) should contain a breach. Testing it asks: from this subnet, what can I reach? Reporting which segments are reachable (and shouldn't be) is a core internal-engagement deliverable.
Tiered administration (admins can't log into low-trust hosts), LAPS, host firewalls, disabling unused remote protocols, and segmentation that assumes breach.
Lateral movement chains credential reuse over legitimate remote-admin protocols to escalate a foothold toward the domain; segmentation and tiered administration are the containment, and verifying cross-segment reachability is key internal-engagement output.