This page explains why attackers pivot between hosts, what they hope to find, and how defenders can detect unusual authentication and administrative patterns.
Once attackers gain control of one system, they often move through the network to reach additional machines. The purpose of lateral movement is to locate valuable resources such as domain controllers, databases, and internal applications.
Attackers may use stolen credentials, shared administrative accounts, or trust relationships between systems to pivot through the environment.
After initial compromise, one machine is rarely enough. Lateral movement increases reach and often brings the attacker closer to the systems that matter most.
Defenders attempt to detect lateral movement by monitoring unusual authentication patterns, unexpected connections between systems, and abnormal administrative behavior that deviates from a normal baseline.
