AV-04 · Lateral movement after initial access

Once inside, attackers use shared credentials, weak segmentation, and poor monitoring to move across systems and escalate privileges.

$ action: Segment networks, reduce admin sprawl, monitor east-west traffic, and alert on abnormal authentication patterns.

1. Why Lateral Movement Matters

Initial access is often only the beginning. Many serious incidents become severe because attackers move from one compromised host to other systems, collect credentials, escalate privileges, and reach critical services.

Lateral movement succeeds when environments allow broad trust, shared admin credentials, flat network access, and weak internal visibility. Attackers benefit from any place where ‘normal operations’ create easy paths between systems.

Defenders should treat internal network traffic and internal authentication as high-value visibility areas. A perimeter-only mindset misses the most important movement after a compromise starts.

2. Common Weaknesses Attackers Exploit Internally

Shared local admin credentials, excessive service account privileges, unrestricted RDP/SMB/WinRM access, weak segmentation, and poor credential hygiene all create opportunities for movement between systems.

Lack of monitoring is another major issue. If east-west traffic is not observed and internal authentication anomalies are not alerted, attackers may move for long periods before detection.

Identity and network controls must work together. Segmentation without authentication monitoring can still miss abusive access, and identity alerts without path restrictions may trigger too late.

3. How Defenders Reduce Lateral Movement Risk

Segment networks by function and trust level. Limit which systems can talk to each other, especially for management protocols and administrative services. Validate those controls with testing, not assumptions.

Reduce admin sprawl using privileged access controls, role separation, just-in-time/admin workflows where possible, and stronger authentication for remote administration.

Monitor east-west traffic, internal service access, and abnormal authentication sequences. Build alerts that focus on behavior changes, privilege use, and unusual path combinations rather than single events alone.

detection-signals

$Unusual internal authentication patterns (new host-to-host admin logins, repeated failures then success).
$Unexpected east-west traffic for management protocols (SMB, RDP, WinRM, SSH, admin ports).
$Service account activity on systems outside normal scope or schedule.
$Privilege escalation or admin group changes following a suspected initial compromise.
$Multi-host access sequence from a single user/session in a short time window.

telemetry-sources

$Internal authentication logs (Windows event logs, Linux auth logs, IdP where applicable).
$East-west network telemetry (Zeek, Suricata, NetFlow, firewall internal segment logs).
$Endpoint telemetry and EDR/XDR alerts for credential use and remote admin activity.
$AD/identity logs and privilege change auditing.
$Network segmentation policy logs and change records for validation.

recommended-tools-and-guides

open Zeek Analyze internal protocol metadata and suspicious east-west connections at scale. open Suricata Detect suspicious internal traffic and admin protocol abuse patterns. open Wazuh Correlate host telemetry and auth events across systems during lateral movement triage. open BloodHound Understand identity and privilege relationships that can enable movement. open CrackMapExec Lab-only learning tool to understand what automated movement attempts look like and how to detect them.

lab-safe-detection-workflows

These commands are for learning, validation, and defensive triage in your own lab or authorized environment. Adapt to your tooling and log locations.

East-west traffic baseline and anomaly review

zeek -r internal-sample.pcap local
zeek-cut id.orig_h id.resp_h service proto < conn.log | head -n 40
tshark -r internal-sample.pcap -z conv,tcp -q

$ why: Use packet/metadata analysis to identify which internal hosts are communicating and whether admin protocols appear in unexpected paths.

Authentication and admin activity triage

journalctl --since "-2h" | grep -Ei "sudo|ssh|auth|winrm|rdp" | tail -n 100
grep -Ei "Accepted|Failed|sudo" /var/log/auth.log | tail -n 80 || true
printf "time,src,dst,account,protocol,event,next_action\n" > lateral-movement-triage.csv

$ why: Build a timeline of internal admin/auth events and map them to source/destination systems before containment decisions.

triage-questions

?Which host or account likely represents initial access, and what was the first internal move afterward?
?Are internal admin protocols reaching systems that should be segmented away?
?Is a service account or admin account being used outside normal paths/times?
?What east-west traffic and auth logs confirm (or disprove) lateral movement?
?What immediate containment step reduces movement: account disable, host isolation, segmentation block, or admin path restriction?

defender-actions.checklist

$Segment internal networks and restrict management protocol paths.
$Reduce shared credentials and broad admin access across systems.
$Monitor east-west traffic and internal authentication anomalies.
$Review service accounts and privilege assignments regularly.
$Practice post-compromise containment playbooks (account disable, host isolate, path block).

study-workflow

Learn what normal behavior looks like for this area (auth, exposure, config, or internal traffic).
Identify the logs and telemetry that should show the behavior.
Practice one safe validation in a lab or authorized environment.
Write a short playbook for detection, triage, and response.
Review the related tool guides under /learning/tools.

<- previous threat AV-03 · Vulnerability exploitation and misconfiguration abuse -> next threat AV-05 · Insider threat and privilege misuse