Attivo Networks Blogs

Cybersecurity Warning: Lateral Movement Tactics Security Experts Should Recognize

eWeek Logo

Today’s Lateral Movement Tactics: Be Warned

Protecting against today’s most dangerous lateral movement tactics is increasingly critical, with AD as vulnerable as it is. Attackers use a wide range of strategies to move about undetected.

The list below covers a selection of the most common and potentially damaging tactics. For defenders, knowing what to look for is the first step toward more effective network protection. Fortunately, frameworks like MITRE ATT&CK and MITRE Shield have provided valuable insight into many of these tactics.

1) Windows Management Instrumentation

MITRE defines Windows Management Instrumentation (WMI) as “a Windows administration feature that provides a uniform environment for local and remote access to Windows system components.”

MITRE notes that “it relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS)] for remote access.” An attacker looking to interact with both local and remote systems can use WMI to perform functions that include information gathering and remote file execution.

2) Remote Service Creation

Attackers can execute a binary, command, or script via a method that interacts with Windows services (such as the Service Control Manager) to create a new service to execute code remotely and move laterally across the environment or maintain persistence using the windows sc.exe utility.

Attackers first copy the file to the remote system, then create and start the service using Remote Procedural Calls (RPC), Windows Management Instrumentation (WMI), or PsExec.

3) Remote Desktop Protocol

Remote desktops are commonplace today, allowing users to log into an interactive session remotely. Unfortunately, attackers can use stolen credentials and account information to exploit the remote desktop protocol (RDP), connect to the system, and expand their access.

Today’s attackers use stolen credentials at an alarming rate, often to exploit RDP and usually as a persistence mechanism.

Read the full article by Joseph Salazar, Technical Marketing Engineer Attivo Networks, on EWeek.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

two × 5 =

Ready to find out what’s lurking in your network?

Scroll to Top