This chapter covers lateral movement techniques used by attackers to navigate a network after initial compromise. Understanding these methods is critical for the SY0-701 exam, specifically under Objective 2.4: 'Given a scenario, analyze indicators of malicious activity.' You must be able to recognize signs of lateral movement and recommend mitigations. We'll dissect the most common techniques attackers use, including pass-the-hash, pass-the-ticket, SMB exploitation, and remote service abuse.
Jump to a section
Imagine a bank heist where the thieves first breach a single teller station (initial compromise). They don't just grab the cash there and run; they need to reach the main vault (high-value assets). To get there, they must move through the bank's corridors, unlock security doors, and avoid guards. Each step from one teller station to another, or from a back office to a manager's desk, is lateral movement. The thieves use stolen keys (pass-the-hash) from one room to unlock the next, or they might impersonate a security guard (pass-the-ticket) to gain access. They may also use a maintenance tunnel (SMB or PsExec) to hop between rooms without setting off alarms. The bank's security system (network segmentation, least privilege) tries to limit these moves by ensuring that keys from one room don't unlock another, and by monitoring unusual door openings (anomaly detection). If the thieves can't move laterally, they are contained at the initial teller station and eventually caught. In cybersecurity, lateral movement is how attackers expand their foothold, and defenders must break that chain.
What is Lateral Movement?
Lateral movement is the set of techniques attackers use to move from an initial compromised host to other systems within the same network. After gaining a foothold (e.g., via phishing or exploiting a vulnerability), the attacker's goal is to escalate privileges and reach high-value targets (e.g., domain controllers, databases). Lateral movement is a key phase in the Cyber Kill Chain and the MITRE ATT&CK framework (TA0008). For SY0-701, you must understand how these techniques work, what logs they generate, and how to detect or prevent them.
How Lateral Movement Works Mechanically
Attackers typically use one or more of the following methods: - Pass-the-Hash (PtH): Using NTLM hash instead of the plaintext password to authenticate. When an attacker obtains the NTLM hash of a user account (e.g., from LSASS memory or SAM hive), they can use tools like Mimikatz to inject that hash into a session and authenticate to remote systems that accept NTLM authentication. The hash is not cracked; it is used directly. - Pass-the-Ticket (PtT): In Kerberos environments, attackers steal Kerberos Ticket Granting Tickets (TGTs) or Service Tickets from a compromised host. They can then use these tickets to authenticate to other services without knowing the password. Tools like Mimikatz can extract tickets from LSASS memory. - Overpass-the-Hash (Pass-the-Key): Using the NTLM hash to request Kerberos tickets. This technique converts an NTLM hash into a Kerberos TGT, allowing the attacker to authenticate using Kerberos. - Remote Service Abuse: Using legitimate remote administration tools like PsExec, WinRM, WMI, or scheduled tasks to execute commands on remote systems. Attackers often use stolen credentials or tokens to run these tools. - SMB Exploitation: Using SMB (Server Message Block) protocol to access file shares or execute commands. For example, using PsExec over SMB to run commands on remote hosts. - RDP Hijacking: Stealing an existing RDP session token to connect to a remote desktop without credentials.
Key Components and Variants
NTLM Hash: A cryptographic hash of the user's password, stored in the SAM database or LSASS memory. Used by PtH.
Kerberos Tickets: TGT and Service Tickets are cached in LSASS memory. PtT uses these tickets.
LSASS (Local Security Authority Subsystem Service): A Windows process that handles authentication. It stores credentials (hashes, tickets) in memory.
Mimikatz: A well-known tool for extracting credentials from Windows memory. It can perform PtH, PtT, and Overpass-the-Hash.
PsExec: A Sysinternals tool that allows remote command execution via SMB. Often abused by attackers.
WMI (Windows Management Instrumentation): Can execute commands remotely via wmic or PowerShell.
WinRM (Windows Remote Management): Uses HTTP/HTTPS for remote management, often targeted.
How Attackers Exploit These Techniques
Attackers typically follow this process: 1. Initial Compromise: Gain access to a low-privilege workstation via phishing or exploit. 2. Credential Dumping: Use Mimikatz or similar to extract hashes and tickets from LSASS memory. 3. Reconnaissance: Use built-in tools (net, nltest, etc.) to identify other systems and users. 4. Lateral Movement: Use PtH, PtT, or remote service abuse to move to other systems. 5. Privilege Escalation: If needed, escalate to Domain Admin using techniques like DCSync. 6. Persistence: Install backdoors or create new accounts.
Real command examples:
Mimikatz PtH: sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH
PsExec: psexec \\target -u corp\admin -p password cmd
WMI: wmic /node:target /user:corp\admin process call create "cmd.exe"
How Defenders Deploy Countermeasures
Enable Credential Guard: Virtualization-based security protects LSASS from credential dumping.
Restrict NTLM: Disable NTLM where possible; use Kerberos only.
Least Privilege: Limit local admin rights; use LAPS (Local Administrator Password Solution) to manage local admin passwords.
Network Segmentation: Isolate sensitive systems; restrict SMB and RDP traffic.
Logging and Monitoring: Enable Windows Event Logs (e.g., Event ID 4624 for logon, 4672 for special privileges, 4688 for process creation). Use SIEM to detect anomalous authentication patterns.
EDR Solutions: Endpoint Detection and Response tools can detect Mimikatz usage or unusual remote execution.
Harden SMB: Disable SMBv1, enforce SMB signing.
Standards and CVEs
CVE-2021-1678: NTLM relay attack vulnerability.
CVE-2019-0708 (BlueKeep): RDP vulnerability that could enable lateral movement.
RFC 4120: Kerberos protocol definition.
MITRE ATT&CK T1550: Use of Alternate Authentication Material (includes PtH, PtT).
Initial Compromise and Reconnaissance
The attacker gains initial access to a host, e.g., via a phishing email that installs a backdoor. They then perform reconnaissance using built-in commands like `net view`, `nltest /domain_trusts`, or `PowerShell Get-ADComputer`. They identify other systems, domain controllers, and user accounts. Logs: Event ID 4688 for process creation (e.g., net.exe), 5156 for network connections. The attacker maps the network to find high-value targets.
Credential Dumping with Mimikatz
The attacker elevates privileges to SYSTEM or Administrator on the compromised host. They then run Mimikatz commands like `privilege::debug` and `sekurlsa::logonpasswords` to extract NTLM hashes and Kerberos tickets from LSASS memory. This dumps credentials of logged-in users. Logs: Event ID 4688 for mimikatz.exe, 4656 for handle to LSASS (if auditing is enabled). EDR may flag the use of known Mimikatz signatures.
Pass-the-Hash Execution
Using the stolen NTLM hash of a Domain Admin, the attacker performs PtH. They use Mimikatz: `sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH`. This creates a new cmd.exe process with the admin's token. They then use this session to access remote systems via SMB, e.g., `dir \\DC\C$`. Logs: Event ID 4624 (logon) with LogonType 3 (network) and authentication package NTLM. The logon may show a non-interactive session.
Remote Command Execution via PsExec
With the elevated token, the attacker uses PsExec to run commands on the domain controller: `psexec \\DC -s cmd.exe`. PsExec copies a service binary to the admin$ share and runs it as SYSTEM. This gives the attacker a command shell on the DC. Logs: Event ID 4688 for PsExec.exe, 7045 for service creation (PsExecSvc), 5145 for network share access (admin$). The service creation is a key indicator.
Persistence and Data Exfiltration
On the domain controller, the attacker may dump all hashes (using `lsadump::dcsync` in Mimikatz) or create a golden ticket. They install persistence mechanisms like scheduled tasks or services. Finally, they exfiltrate data via encrypted channels. Logs: Event ID 4662 for directory service access, 5136 for directory service changes. The attacker's goal is to maintain access and steal sensitive data.
Scenario 1: SOC Analyst Detecting Pass-the-Hash
A SOC analyst notices multiple failed logon attempts (Event ID 4625) from a single workstation to several servers, followed by successful logons (Event ID 4624) with LogonType 3 using NTLM. The source workstation is a known compromised host from a previous phishing incident. The analyst uses a SIEM to correlate these events with a recent Mimikatz detection on that workstation (EDR alert). The correct response is to isolate the workstation, reset the compromised account's password, and initiate incident response. A common mistake is to ignore the failed logons as normal user errors without correlating with the credential dump alert.
Scenario 2: Blue Team Detecting Overpass-the-Hash
An engineer monitors Kerberos events and sees Event ID 4768 (TGT request) for a user whose workstation was just compromised. The TGT request originates from the compromised workstation but uses a different IP address (indicating the attacker is using stolen hashes to request tickets). The engineer uses tools like Microsoft Defender for Identity to detect anomalous TGT requests. The correct response is to block the attacker's IP, revoke the user's tickets, and force password reset. A common mistake is to assume the TGT request is legitimate because the user is valid, missing the context of the compromised host.
Scenario 3: Incident Responder Tracking Lateral Movement with RDP Hijacking
During an incident, responders find that an attacker used tscon.exe to hijack an existing RDP session. They see Event ID 4778 (session reconnected) and 4779 (session disconnected) on a server. The attacker had stolen a token from a user who had an active RDP session. The responder uses Sysmon to track process creation and sees tscon.exe spawned by cmd.exe. The correct response is to terminate the attacker's session and enforce RDP session locking. A common mistake is to overlook tscon.exe as a legitimate administrative tool and not investigate the context of its execution.
Exactly What SY0-701 Tests
Objective 2.4 requires you to analyze indicators of malicious activity, including lateral movement. You must recognize specific techniques like pass-the-hash, pass-the-ticket, and remote service abuse. The exam will present scenarios with logs or event descriptions and ask you to identify the technique or the best mitigation.
Common Wrong Answers and Why
'Brute force attack' – Chosen when seeing multiple failed logons. But failed logons can also be from PtH attempts where the hash is invalid. The key is that PtH uses a single hash, not multiple password guesses.
'Privilege escalation' – Confused with lateral movement. Privilege escalation is gaining higher privileges on the same system; lateral movement is moving to another system.
'Man-in-the-middle attack' – Chosen when seeing network traffic anomalies. But lateral movement techniques often use legitimate protocols like SMB or RDP, not interception.
'Pass-the-ticket' – Chosen when seeing Kerberos logons. But PtT requires stolen tickets; normal Kerberos usage is not malicious.
Specific Terms and Acronyms
PtH: Pass-the-Hash
PtT: Pass-the-Ticket
LSASS: Local Security Authority Subsystem Service
NTLM: NT LAN Manager
TGT: Ticket Granting Ticket
SMB: Server Message Block (port 445)
WMI: Windows Management Instrumentation
PsExec: Microsoft Sysinternals tool
Common Trick Questions
A question might describe an attacker using a hash to authenticate to a remote system. Some candidates confuse this with 'cracking the hash' – but PtH uses the hash directly without cracking.
Another trick: 'attacker uses a stolen Kerberos ticket' – candidates might think this is 'Kerberos poisoning' or 'golden ticket', but the technique is pass-the-ticket.
Decision Rule for Eliminating Wrong Answers
On scenario questions, first identify whether the attacker is moving to a new system (lateral movement) or escalating on the same system (privilege escalation). If moving to a new system, look for authentication method: if it's NTLM hash, it's PtH; if Kerberos ticket, it's PtT; if remote execution tool like PsExec, it's remote service abuse. Eliminate options that describe local privilege escalation or network sniffing.
Lateral movement is the process of moving from one compromised host to another within a network.
Pass-the-Hash (PtH) uses NTLM hashes without cracking; tools like Mimikatz extract hashes from LSASS.
Pass-the-Ticket (PtT) uses stolen Kerberos tickets; also extracted from LSASS via Mimikatz.
Remote service abuse includes PsExec, WMI, WinRM, and scheduled tasks for remote execution.
Enable Credential Guard to protect LSASS from credential dumping in Windows 10/11 and Server 2016+.
Monitor Event ID 4624 for network logons (LogonType 3) and Event ID 4688 for suspicious process creation.
Network segmentation and least privilege are key preventive controls against lateral movement.
SMB signing and disabling SMBv1 help prevent relay and exploitation attacks.
Lateral movement is a key phase in the Cyber Kill Chain and MITRE ATT&CK TA0008.
EDR solutions can detect known lateral movement tools like Mimikatz and PsExec.
These come up on the exam all the time. Here's how to tell them apart.
Pass-the-Hash (PtH)
Uses NTLM hash directly
Works against systems accepting NTLM authentication
Stolen from LSASS or SAM
Commonly used in Windows environments
Can be mitigated by disabling NTLM
Pass-the-Ticket (PtT)
Uses Kerberos tickets (TGT or Service Ticket)
Works against systems using Kerberos authentication
Stolen from LSASS memory
Commonly used in Active Directory environments
Can be mitigated by enforcing Kerberos policy and ticket expiration
Mistake
Pass-the-hash requires cracking the hash to recover the plaintext password.
Correct
Pass-the-hash uses the hash directly for authentication; no cracking is needed. The NTLM hash is used as a credential to authenticate to remote systems.
Mistake
Pass-the-ticket only works if the attacker has the user's password.
Correct
Pass-the-ticket uses stolen Kerberos tickets from LSASS memory, not the password. The attacker can use the ticket without knowing the password.
Mistake
Lateral movement only occurs over SMB protocol.
Correct
Lateral movement can occur over multiple protocols: SMB, RDP, WMI, WinRM, SSH, and even HTTP/HTTPS for web shells.
Mistake
Enabling Credential Guard completely prevents all lateral movement.
Correct
Credential Guard protects LSASS from credential dumping, but it does not prevent all lateral movement. Attackers can still use other methods like token theft or exploiting remote services with stolen credentials from other sources.
Mistake
Lateral movement always requires administrative privileges.
Correct
While many techniques require admin rights, some lateral movement can be done with standard user privileges, such as using scheduled tasks or exploiting unpatched vulnerabilities.
Pass-the-hash (PtH) uses NTLM hashes to authenticate to remote systems, while pass-the-ticket (PtT) uses Kerberos tickets. PtH works against systems that accept NTLM, whereas PtT works in Kerberos environments. Both are extracted from LSASS memory using tools like Mimikatz. On the exam, if the scenario mentions NTLM hash, it's PtH; if it mentions Kerberos tickets, it's PtT.
Credential Guard uses virtualization-based security to isolate LSASS, preventing tools like Mimikatz from reading its memory. This stops credential dumping, which is often the first step in lateral movement. However, it does not protect against other techniques like token theft or using credentials from other sources. For SY0-701, remember that Credential Guard is a mitigation for credential dumping.
Key logs include Event ID 4624 (logon) with LogonType 3 (network) and authentication package NTLM. Also, Event ID 4672 (special privileges assigned) may appear if the account has admin rights. Failed logons (Event ID 4625) may precede successful ones. Additionally, process creation (Event ID 4688) for tools like mimikatz.exe or psexec.exe can be indicators.
Yes, network monitoring can detect lateral movement through unusual SMB connections, RDP traffic, or remote execution protocols. For example, a workstation initiating multiple SMB connections to many servers is suspicious. Tools like Zeek (Bro) can log SMB sessions. However, many lateral movement techniques use legitimate protocols, so behavioral analysis is needed.
The best mitigations include: 1) Disable NTLM where possible and use Kerberos only. 2) Enable Credential Guard to protect LSASS. 3) Use Local Administrator Password Solution (LAPS) to randomize local admin passwords. 4) Implement least privilege – limit the number of users with admin rights. 5) Monitor for PtH indicators and use EDR to detect credential dumping.
PsExec is a legitimate Sysinternals tool that allows remote command execution. Attackers use it by copying a service binary to the admin$ share on a remote system and then starting it as a service. This gives them a command shell. It uses SMB and requires admin credentials. Logs show service creation (Event ID 7045) and network share access (Event ID 5145).
Overpass-the-hash (also called pass-the-key) is a technique where the attacker uses an NTLM hash to request a Kerberos TGT. This converts the hash into a Kerberos ticket, allowing the attacker to authenticate using Kerberos. It is often used when NTLM is disabled. Tools like Mimikatz can perform this with the `sekurlsa::pth` command but with Kerberos instead of NTLM.
You've just covered Lateral Movement Techniques — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?