**Lateral movement** is the process attackers use to move from one compromised system to another inside a network in order to reach higher-value targets. ## Core idea Lateral movement is **not a single step** , it is a **repeating cycle**: 1. Gain access to a machine 2. Extract credentials or privileges 3. Move to another machine 4. Repeat until the objective is reached This cycle continues until the attacker reaches a system that provides access to their final goal. ## Why lateral movement is necessary Initial access rarely provides: * Direct access to sensitive systems * High privileges * Freedom to move across the network Attackers must move laterally to: * Bypass network restrictions * Reach better-positioned hosts * Blend in with normal user behavior * Reduce detection risk ## Lateral movement vs linear thinking Many models describe attacks as linear (“step 1 → step 2”), but in reality: * Attackers **loop** through movement, escalation, and credential reuse * Progress is incremental and adaptive ## Stealth perspective Lateral movement is not just about access — it’s also about **plausibility**. Accessing a sensitive system from a machine that *normally* interacts with it is: * Less suspicious * More consistent with user behavior * Harder to detect through logs alone ## Example mental model A low-privilege workstation may be: * A poor place to reach sensitive resources * A stepping stone to a better-positioned machine Attackers move **toward contextually appropriate systems**, not just privileged ones.