Lateral movement is one of the most common attack tactics that attackers use once they're inside an organization. Leveraging lateral movement techniques allows attackers to move laterally across the organization, deepening their compromise. Common lateral movement techniques include Remote Desktop Protocol (RDP), remote COM object activation (DCOM), PowerShell Remoting, Remote Services & Scheduled Tasks, and Server Message Block (SMB) protocol. Due to the frequency that lateral movement occurs, Huntress’ EDR product found the need to create visibility into lateral movement techniques.
At Huntress, we don't believe in “chasing” every technique. We want to build defenses that positively impact our customers and give our SOC team the appropriate visibility to identify maliciousness, while keeping the noise to a minimum. To help with this, we implement a layered approach to both telemetry collection and detection capabilities. The implementation for lateral movement was no different. In this write-up, we explain how we're approaching lateral movement from a collection and a detection standpoint. First, let’s dive into how we built the feature.
Understanding how it works is the first step to stopping it.
How lateral movement works
Lateral movement doesn't happen in one dramatic move. It's methodical. Attackers follow a repeatable playbook, and knowing these stages is how you know where to look.
Initial access. The attacker is in. Maybe it was a phishing email, a stolen credential, or an unpatched vulnerability. Either way, they've landed on one machine or identity, and now they need to figure out what they've got.
Reconnaissance. Before moving anywhere, attackers map the network. They're looking for high-value targets—domain controllers, file servers, backup systems, anything that could accelerate their objective. This is quiet work. Lots of it looks like normal admin activity.
Credential theft. To move between systems, attackers need credentials. They'll pull them from memory using tools like Mimikatz, capture them with keyloggers, or abuse built-in Windows features that were never designed with attackers in mind. Once they have valid credentials, they can authenticate as a real user—and blend right in.
Objective. When they've reached what they came for—domain admin access, a critical server, a backup system—they execute. That might mean deploying ransomware, exfiltrating data, or both. By this point, if you haven't caught them, the damage is done.
The window between initial access and final objective can be hours, days, or weeks. Detection at any stage breaks the chain.
Common lateral movement techniques
Attackers aren't reinventing the wheel here. They're using the same techniques, the same tools, and the same protocols—because those techniques work. Here are the ones showing up most in the wild. Remote interaction with a host is very common within organizations. This is because administrators need to be able to access a resource remotely or manage a machine’s settings/updates/etc. Due to this need, there are default ways that make machines accessible by users, by which attackers like to take advantage.
Historically, insight into this activity has come by way of collecting information on the client side (where the code execution came from). This can be done by tracking processes that have a network connection or that create a network connection to some random IP/host. Due to false positives, we didn’t implement this approach, so we decided to break lateral movement into “action pillars”—essentially, pillars where different actions take place. Once we did that, we could identify where we wanted to collect telemetry and if that collection held value.
After some research, we decided that when lateral movement is performed, there are four main steps:
- Initial Code Execution (Source Machine)
- Transport (WinRM, DCOM (DCE/RPC), RDP)
- Remote Authentication (Remote Machine)
- Remote Code Execution (Remote Machine)
After organizing the data into these pillars, we saw significant value in focusing on remote authentication and remote execution, especially when combining both into a single event for our Detection Engineers and SOC analysts. Doing so allows us to:
- See who logged in to the remote machine
- See the logon type that was leveraged
- This helps us with false positives and identify what transport was used
- What was executed
- Track the user’s code execution
- Helps tune false positives (due to things like RMMs)
Let’s look at a lateral movement scenario and what the Huntress EDR would and wouldn’t collect:
Leveraging DCOM applications has always been an attacker's favorite when attempting lateral movement. Back in 2017, Matt Nelson wrote a great blog around leveraging the MMC20.Application COM Object for lateral movement. Let’s use this as an example of the visibility we'd have if this activity was triggered. But first, let’s build the scenario:
- There are two machines, where the client (Machine 1) doesn’t have the Huntress EDR installed, while the target machine (Machine 2) does.
- Attacker has valid credentials of a user (thor) that can access Machine 2.
- Attacker leverages the MMC20.Application COM object to laterally move and execute an encoded PowerShell command that reaches out to an IP to download a file.
In this scenario, we'd see:
- Attacker’s authentication to Machine 2
- The execution of the PowerShell encoded command and other process-based executions that are tied to that user’s authenticated logon session
The value of this approach is we can now track user code execution as they live in that logon session, not just the lateral movement attempt. Meaning that if an attacker is launching a bunch of processes, we would see them, whether it's the first process they launched or the tenth.
This is just one example of the insight we have now that we approach lateral movement this way. Here are some other noted examples:
- WMI Execution over DCOM
- WMI Execution over WinRM
- PowerShell Remoting
- DCOM Object Activation (ex. MMC COM Object)
- Process Execution over RDP
- Headless RDP Execution
When bringing these two pillars together, we noticed not only how prevalent lateral movement was happening in cases like ransomware, but how this telemetry actually allows us to see some initial access execution as well. This next section goes over some of the malicious activity we’ve seen since implementing this capability which has led to quicker classification and response.
Detection wins
With this new feature, we can leverage the following from the lateral movement data:
- Source IP Address
- Source Port
- Source Hostname
- Logon Type
- Logon Id
Authentication focus
We can zoom in on the authentication aspect of lateral movement to find process execution that can be more accurately classified as malicious due to the additional data. For example, processes executed via RDP logon from a Public IP address rather than a Private IP address.
Real-world scenario
Huntress observed an SQL Admin user executing malicious commands remotely on an SQL server. This activity comes from a host without the Huntress agent installed. Next, the threat actor was seen trying to enable RDP connections via the registry in order to log into the affected server via RDP.
Ransomware precursor focus
Next, we can target key ransomware precursors that are also often run by administrators and can be problematic to identify malicious use.
However, leveraging the new data, we can target the following activity being done remotely with better accuracy.
- Enumeration
- Killing security tooling processes
- Stopping/disabling core services (webservers, databases, hypervisors, etc.)
- Deleting shadow copies
- Clearing logs
Real-world scenario
A series of suspicious activities, likely precursors to a ransomware attack, were observed across at least two hosts (Host A and Host B). The activity centered around logins from the IP address associated with known malicious hostnames.
- Initial compromise indicators: Brute-forcing attempts were logged on Host A. Subsequently, a user logged into Host A from the suspicious IP/hostname.
- Malicious actions on Host A: The user then proceeded to delete shadow copies and dump sensitive system files (registry hives, ntds.dit) to a common staging directory (C:\Users\Public\Music).
- Lateral movement and activity on Host B: Multiple users were observed logging into Host B from the same (internal) IP address and associated hostnames over several weeks. One user was later seen running commands on Host B after the critical actions on Host A.
The observed pattern of activity—credential compromise, deletion of backups, and exfiltration/staging of sensitive data—strongly suggests an attacker preparing to deploy ransomware. Using logon data and other detections, Huntress identified and reported the malicious activity prior to execution of any ransomware.
Protocol abuse focus
Last, we honed in on the most common lateral movement techniques, which leverage transport methods such as WinRM, DCOM, and RDP. This allows us to find typical attacker tradecraft and tools that execute in this manner, which is not commonly used legitimately.
Hacking tools that are commonly used in the wild include the following.
- Impacket
- CrackMapExec
- NetExec
- GoExec
Real-world scenario
Huntress observed user SYSTEM executing malicious commands to dump the LSASS process to harvest credentials via rundll32.exe loading cmsvcs.dll. This activity stemmed from mmc.exe (Microsoft Management Console), which leverages DCOM as the transport protocol. This is common among tools like Impacket’s dcomexec.py Python class or NetExec’s mmcexec.py Python class.
How to prevent lateral movement
You can't prevent every breach. But you can make lateral movement significantly harder—and significantly more visible when it happens.
Implement least privilege and MFA
Users should only have access to what they need to do their job. That's it. When every account is a potential admin account, a single compromised credential can cascade into a full network takeover.
Pair least privilege with multi-factor authentication (MFA) on every account. Even if attackers steal a password hash, MFA adds a barrier they have to defeat separately. It doesn't make lateral movement impossible, but it slows the path and creates detection opportunities.
Network segmentation and protocol hardening
If every system in your environment can talk to every other system, a single compromised host can reach everything. Segmentation breaks that assumption.
Divide your network so that a breach in one segment can't automatically spread to another. Then harden the protocols attackers love to abuse: disable NT LAN Manager (NTLM) where possible, restrict RDP access to only the machines and users that need it, and remove default admin shares that give attackers a ready-made pivot path.
Deploy continuous monitoring
Prevention buys you time. Monitoring is what catches the things prevention misses.
Huntress Managed EDR monitors for lateral movement behaviors at multiple stages of the attack chain—credential theft attempts against Local Security Authority Subsystem Service (LSASS), reconnaissance activity, suspicious authentication patterns, and remote service abuse via DCOM, WinRM, and RDP. Our 24/7 SOC doesn't just look at individual alerts; they look at the full picture across your environment and tell you when something's wrong.
How EDR stops lateral movement
Traditional antivirus looks for known-bad files. Lateral movement doesn't use known-bad files—it uses your own network's tools against you. That's why AV misses it.
Huntress Managed EDR approaches lateral movement differently. Instead of looking at just the source of an action (where the code came from), we focus on what happens at the target—the remote authentication, the logon session, and every process that executes within it.
When an attacker authenticates to a remote machine and starts running commands, we see the authentication event, the logon type, and the execution chain that follows. We tie those together into a single, high-fidelity event. That's what lets our SOC analysts distinguish a sysadmin doing routine work from an attacker who just pivoted using stolen credentials.
Here's what that looks like in practice:
We've caught attackers dumping LSASS credentials via rundll32.exe loading comsvcs.dll—all triggered through an MMC COM object, the kind of activity tools like Impacket and NetExec use for DCOM-based lateral movement. We've caught SQL Admin accounts executing malicious commands remotely and then enabling RDP to persist access. We've caught ransomware precursors—shadow copy deletion, credential staging, log clearing—before a single payload deployed, because we saw the lateral movement leading up to it.
Theransomware playbook almost always includes lateral movement. Attackers need to spread before they can encrypt. Huntress catches them spreading.
We do this with a layered telemetry approach—collecting at the remote authentication and remote execution pillars, not just at the source. That keeps false positives low while giving our SOC analysts the context they need to call it fast.
How ITDR stops lateral movement
EDR watches what happens on the endpoint. ITDR watches what happens to the identity—because in modern lateral movement, identity is the new endpoint attackers weaponize.
When attackers move laterally, they're not breaking locks. They're using stolen keys. Valid credentials, legitimate authentication protocols, real logon sessions. From a pure endpoint perspective, that activity can look normal. ITDR is built to catch what that perspective misses.
Huntress Managed ITDR monitors identity behavior across your Microsoft 365, Entra ID, and Google Workspace identities tracking sign-in patterns, privilege use, and account activity in real time. When an account that never logs in at 2 a.m. suddenly authenticates to multiple cloud services in a few minutes, or a service account starts making interactive logins it was never meant to make, ITDR flags it. Not because a file looked bad. Because the identity stopped behaving like itself.
This matters most at the stages of lateral movement where credentials are the only artifact. Pass-the-hash often doesn’t leave behind a distinctive malicious binary on the endpoint. Credential stuffing against internal systems may never trip a traditional, file-based signature. But the authentication anomalies they produce, the unexpected privilege use, the unusual logon types—those show up in the identity layer, and that's exactly where ITDR is watching.
When ITDR and EDR are running together—and both are backed by a 24/7 AI-centric SOC, you get coverage at both layers: execution context at the endpoint and authentication context at the identity level. Attackers can abuse a protocol. They can't hide the identity doing it.
Conclusion
A single compromised endpoint isn't a disaster on its own. What turns it into one is lateral movement, the quiet, deliberate spread from that one machine to your most critical systems.
Stopping it requires more than a perimeter. It requires continuous behavioral monitoring, credential protection, and someone watching the authentication events that tell the real story of what's happening in your environment.
Huntress Managed EDR and Huntress Managed ITDR was built for exactly this. We detect lateral movement at every stage of the attack chain—before attackers reach your domain controller, your backups, or your customers' data. Our 24/7 SOC backs every detection with human analysis and a clear path to remediation.
Don't wait for the ransom note to find out you had a lateral movement problem.
FAQs
What is lateral movement in cybersecurity?
Lateral movement is a post-compromise tactic where attackers move horizontally across a network after gaining initial access. Instead of breaking in again, they use stolen credentials and legitimate protocols to navigate from their initial foothold to higher-value systems—domain controllers, backup servers, or any target that helps them achieve their objective.
How do attackers use pass-the-hash for lateral movement?
Pass-the-hash (PtH) lets attackers authenticate to remote systems using a stolen NTLM password hash instead of the actual plaintext password. Because Windows compares hashes during authentication—not raw passwords—a stolen hash grants the same access as the real credential. Attackers can use it to move between systems without ever cracking a single password.
What is the best way to detect lateral movement?
Behavioral detection is the most reliable approach. That means monitoring authentication anomalies (unusual login times, rapid cross-system logins, privilege escalation attempts), watching for credential dumping activity against LSASS, and tracking suspicious use of remote protocols like RDP, WinRM, and SMB. EDR tools that connect authentication events to process execution chains—like Huntress Managed EDR—give you the context to spot lateral movement before it reaches critical systems.
How can I prevent lateral movement attacks?
No single control prevents lateral movement entirely, but the combination that matters most is: least privilege access (limit what every account can reach), multi-factor authentication on privileged accounts, network segmentation to contain spread, and protocol hardening (disable NTLM where possible, restrict RDP). Layer continuous behavioral monitoring on top and you've gone from hoping you catch it to actually catching it.