When most people imagine a cyberattack, they picture someone breaking in and immediately causing damage. The reality is far more patient. After gaining initial access — often through a phishing email or a compromised credential — attackers spend days quietly learning your environment before they ever do anything visible.
This phase is called lateral movement. It's the process of going from one compromised account or device to broader access across the environment. Understanding how it works is essential for knowing which defensive controls actually matter.
Why One Compromised Account Becomes Everyone's Problem
In a well-segmented network, a compromised user account has access to what that user is supposed to access and nothing more. In the typical small professional services firm, that's not the case. Network shares are often permissioned too broadly. Local admin credentials are reused across workstations. Domain admin accounts are used for routine tasks. These habits are normal — they make daily IT operations easier — but they create the pathways attackers use to spread.
// Credential Harvesting from Memory
Windows stores authentication credentials in memory to support seamless re-authentication. On older systems or when configured poorly, these credentials can be extracted from LSASS (Local Security Authority Subsystem Service) memory using tools that are freely available. A single interactive login by a domain admin on a compromised workstation can expose credentials that give the attacker full domain control.
Event ID 4656: A handle to an object was requested
Object Name: \Device\HarddiskVolume\Windows\System32\lsass.exe
Access: READ_PROCESS_MEMORY
// Pass-the-Hash and Pass-the-Ticket
Even when plaintext passwords can't be extracted, attackers can often reuse the hash of a password to authenticate to other systems without ever knowing the actual credential. This is called Pass-the-Hash (PtH). On Kerberos-based networks, a similar technique called Pass-the-Ticket allows attackers to use forged or stolen Kerberos tickets to authenticate as other users — including privileged service accounts.
// SMB Lateral Movement
Once an attacker has a valid credential or hash, they can use SMB (the Windows file sharing protocol) to connect to other machines on the network and execute code remotely. Tools like PsExec, WMI, and built-in Windows administration features make this trivial. If your workstations can reach each other over SMB, an attacker with any set of credentials can hop between them systematically.
// Active Directory Enumeration
Active Directory is essentially a map of your entire organization — every user, group, computer, permission, and trust relationship. Any domain user can query most of this by default. Attackers spend significant time enumerating AD to find service accounts with excessive privileges, misconfigured delegation settings, or paths to domain admin access through group membership chains.
Controls That Actually Interrupt Lateral Movement
- Privileged Access Workstations (PAW) — domain admin actions should only be performed from hardened, dedicated workstations that don't browse the web or receive email
- Local Administrator Password Solution (LAPS) — randomizes local admin passwords across workstations, eliminating the reuse problem that makes Pass-the-Hash so effective
- Credential Guard — a Windows feature that virtualizes LSASS, making credential extraction significantly harder
- SMB signing enforcement — prevents relay attacks where credentials are intercepted in transit between machines
- Tiered administration model — separates domain admin, server admin, and workstation admin accounts so that a compromised workstation credential can't escalate to domain control
- EDR with behavioral detection — endpoint detection tools that watch for lateral movement patterns (LSASS access, unusual SMB connections, PsExec-like behavior) rather than relying on signature-based AV
Most small professional services firms have none of these controls in place. Not because of negligence — because no one ever told them these risks existed. Standard IT support focuses on uptime and help desk tickets, not adversary simulation. The gap between "our IT guy keeps the computers running" and "we have controls that would stop a real attacker" is enormous, and most firms don't know it's there until an incident forces the conversation.
What a DFIR Investigation Surfaces
When we respond to an incident, lateral movement artifacts are often the most telling part of the investigation. Event logs, prefetch files, Windows registry hives, and network flow data paint a detailed picture of exactly where the attacker went, what they accessed, and when. This forensic reconstruction is what separates a genuine incident response from a wipe-and-rebuild that leaves the door open for the next attack.
Understanding how an attacker moved through your environment is also the foundation of the remediation plan. Without it, you're rebuilding in the dark.
Need help validating your environment? Book a consultation and Black Tower Cyber can review your exposure, identity controls, and incident readiness before attackers find the gap first.