What is lateral movement in cybersecurity?
Lateral movement is the set of techniques attackers use to navigate through a network after gaining initial access. Once inside, they pivot from system to system searching for valuable data, privileged accounts, and critical assets.
This tactic turns a single compromised endpoint into a full-scale breach. Attackers use lateral movement to remain undetected while expanding their reach, escalating privileges, and positioning themselves closer to high-value targets. Advanced persistent threats (APTs) rely heavily on lateral movement because it allows attackers to operate quietly over extended periods while mapping out the environment and identifying what matters most.
Lateral movement can involve a variety of methods, including:
Exploiting vulnerabilities: Taking advantage of security weaknesses on other systems within the network to gain unauthorized access.
Using legitimate credentials: Stealing or otherwise obtaining credentials of authorized users to access systems without raising alarms.
Pass-the-hash/token attacks: Using captured hash values of user passwords to authenticate to other services without needing the plain text password.
Installing backdoors: Creating secret entry points into systems and networks for continued access.
25 AI Agents. 257 Real Attacks. Who Wins?
From zero-day discovery to cloud privilege escalation, we tested 25 agent-model combinations on 257 real-world offensive security challenges. The results might surprise you 👀
Common stages of lateral movement
Lateral movement isn't a one-and-done process. It typically involves three stages: reconnaissance, credential dumping or privilege escalation, and gaining access.
Reconnaissance
Attackers begin by mapping the environment to identify targets and weaknesses. During reconnaissance, threat actors inventory systems, discover network topology, and locate potential pivot points before making their next move.
Common reconnaissance techniques include:
Network scanning: Tools like Nmap and Nessus reveal active hosts, open ports, operating systems, and running services. This information helps attackers identify vulnerable systems and plan their movement path.
Social engineering: Phishing attacks and pretexting gather credentials, internal documentation, or information about organizational structure that attackers can exploit later.
Open-source intelligence: Web crawlers and social media analysis expose publicly available details about employees, technologies, and infrastructure that inform targeting decisions.
The goal is simple: gather enough information to plan the next steps without triggering alerts.
How to Manage Lateral Movement Risks in the Cloud
Get in-depth recommendations on how to prevent 3 common lateral movement techniques in the cloud.
Download Now
Credential dumping/privilege escalation
Privilege escalation gives attackers the permissions they need to access restricted systems and data. After mapping the environment, threat actors focus on obtaining credentials or exploiting vulnerabilities that grant elevated access.
Attackers commonly escalate privileges by stealing credentials through phishing attacks that trick users into entering passwords on fake login pages. They also exploit software vulnerabilities like buffer overflows or misconfigurations that allow them to execute code with higher permissions than intended.
Gaining access
With elevated privileges secured, attackers access their actual targets. They query databases for sensitive records, exfiltrate files, or install backdoors that maintain persistent access even if the original entry point is discovered.
At this stage, security teams should watch for warning signs: unexpected remote connections during off-hours, unexplained data transfers, and repeated access attempts to resources the compromised account doesn't normally touch. These patterns often indicate an attacker has moved beyond initial access and is actively operating within the environment.
By understanding the stages of lateral movement, we can better prepare defenses and respond more effectively when an attack occurs.
Lateral movement techniques
Cloud environments introduce lateral movement paths that don't exist in traditional networks. Attackers exploit cloud-native services, identity systems, and network configurations to pivot between resources without triggering conventional detection methods.
Exploiting remote services
Attackers often exploit remote services like Secure Shell (SSH) or Remote Desktop Protocol (RDP) to move laterally in the cloud. For example, if an attacker gains access to an EC2 instance in AWS, they could use SSH to connect to other instances in the same network. Once inside the VPC, they can also search for additional remote systems that can be exploited.
Abusing valid accounts
Attackers can also move laterally in the cloud by abusing valid accounts. If an attacker compromises a user's credentials, they could use those credentials to access cloud services that the user has permissions for.
Using worms
A kind of malware, worms are named for their ability to self-replicate and spread over a network. For example, in the cloud, a worm could move from one instance to another by exploiting vulnerabilities or weak security settings.
VPC peering
VPC peering forms a network bridge between two virtual private clouds (VPCs). The advantage of VPC peering is that users can route traffic via private IP addresses, but attackers exploit this connection to move laterally from one VPC to another.
Exploiting IaaS/PaaS databases
IaaS and PaaS databases are often used to store private and confidential information. When a threat actor gains access to these databases, they can extract sensitive data or even modify the data to cause disruption.
Exploiting vulnerabilities and misconfigurations
When looking for valuable assets, cybercriminals tend to target the most accessible or vulnerable resources within compromised virtual private clouds (VPCs). The perfect targets are usually vulnerable workloads, such as internal VMs that are accessible over the network, have critical RCE vulnerabilities, and lack stringent security-group rules.
These are only some of the common methods that threat actors may use for lateral movement in the cloud. There are more techniques, including carrying out lateral movement attacks from the cloud to Kubernetes. Understanding these techniques can help businesses develop effective strategies to pre-empt lateral movement.
Approximately 58% of cloud environments have at least one publicly exposed workload with a cleartext long-term cloud key stored in it, whereas about 35% of cloud environments feature at least one publicly exposed workload with a cleartext private SSH key.
Wiz Research Team
Internal spear phishing
Attackers use compromised cloud email and messaging accounts to send phishing messages that appear to come from trusted colleagues or executives. By hijacking legitimate accounts within platforms like Microsoft 365, Google Workspace, Slack, or Teams, they can bypass traditional email security measures and trick employees into clicking malicious links, downloading malware, or handing over credentials.
Since these messages originate from within the organization’s ecosystem, employees are more likely to trust and act on them. Once attackers gain additional access, they can escalate privileges, move laterally, and exfiltrate sensitive data, all while blending into normal communication channels.
Watch 5-minute demo
Watch the demo to learn how Wiz Defend correlates runtime activity with cloud context to surface real attacks, trace blast radius, and speed up investigation.
Watch now
How to detect lateral movement
Traditional perimeter defenses rarely catch lateral movement because attackers operate inside the network using legitimate credentials and tools. Detection requires monitoring internal behavior patterns and correlating signals across identity, network, and endpoint layers.
1. Map lateral movement paths
Attack path mapping reveals how an attacker could move from a compromised system to critical assets. By visualizing relationships between endpoints, privileged accounts, and high-value targets, security teams can identify the routes attackers are most likely to take.
Analyzing access logs and privilege escalation attempts shows how movement actually occurs in your environment. When you identify these paths early, you can cut off attacker access before they reach sensitive systems.
2. Monitor unusual authentication activity
Tracking logins across multiple systems can uncover suspicious behavior, especially when access occurs from unexpected locations or outside normal working hours.
Excessive failed login attempts, particularly on privileged accounts, may signal credential stuffing or brute-force attacks. Detecting and investigating these anomalies can help stop attackers before they gain further access.
3. Correlate security logs for privilege escalation attempts
Investigating whether a compromised account or process is rapidly escalating privileges across multiple hosts can reveal active lateral movement.
Cross-referencing authentication logs with privilege escalation alerts helps determine if attackers are methodically increasing their control. This correlation allows security teams to detect unauthorized access early and take action to limit attacker reach.
4. Detect abnormal remote execution activity
Monitor tools like PsExec, RDP, SSH, and WinRM for unexpected use. Attackers frequently exploit them to move laterally across systems. Pay close attention to remote execution on machines that do not typically use administrative access, as this could indicate an intrusion.
Flagging unauthorized remote script execution can help detect attacker activity before they establish deeper persistence.
5. Identify suspicious use of administrative tools
Unusual activity involving built-in admin tools like PowerShell, WMI, or remote command execution may indicate an attacker attempting to move laterally and escalate privileges in the network.
Malicious actors often run reconnaissance commands such as net view (to list network shares), whoami (to determine user permissions), ifconfig (to gather network interface details), and arp -a (to discover other devices on the network) to map out internal systems and identify valuable targets. If left undetected, this information can help attackers determine which accounts to compromise next. Proactively monitoring and blocking suspicious execution of these commands can disrupt an attack before it progresses further.
6. Analyze network traffic for unusual patterns
Unusual internal traffic between systems that do not typically communicate can be a red flag, as lateral movement often involves accessing previously unrelated hosts.
Network flow analysis can help detect anomalies, such as unexpected spikes in data transfers or beaconing behavior, where a compromised system periodically communicates with an attacker-controlled server. Identifying and investigating these irregularities early can prevent attackers from advancing deeper into the network.
7. Use deception techniques to trap attackers
Deploying honeypots, decoy credentials, or fake admin accounts can lure attackers attempting lateral movement, tricking them into revealing their tactics.
By monitoring interactions with these deceptive assets, security teams can detect unauthorized access attempts, gather intelligence on attacker behavior, and respond proactively. These traps serve as early warning systems and help defenders understand and mitigate evolving attack techniques.
Identify and stop lateral movement with Wiz
Detecting lateral movement requires visibility into the relationships between identities, permissions, network paths, and workload vulnerabilities. Without this context, security teams struggle to identify which systems an attacker could reach from any given entry point.
Wiz maps these relationships automatically by building a security graph that connects cloud resources, IAM permissions, and network exposure. This lets you see potential lateral movement paths before attackers can use them and prioritize the exposures that create the greatest risk.
When an incident occurs, Wiz correlates runtime signals with cloud context to trace how far an attacker could move and what assets are at risk. Get a demo to see how Wiz helps security teams identify and stop lateral movement across cloud environments.
Trip up threat actors before they can move laterally
See for yourself why CISOs at the fastest growing companies choose Wiz to harden their cloud environment's internal defenses to stop lateral movement.
