Lateral movement is the process of moving from one part of a computing environment to another. After you gain access to the initial part of the environment, you can spread your attack out to compromise additional resources. This ensures that your test encompasses more than just a narrow selection of resources. Likewise, you may be able to discover additional or new vulnerabilities in the environment that you would otherwise miss if you stayed in place. Lateral movement can also support stealth, as in some cases, you'll draw greater attention to your attack if you focus on only a single resource or a small group of like resources.

One of the most common forms of lateral movement is to jump from one network host to the next. You might gain access to an employee's workstation from the outside, then use that workstation to set up a connection to an application server, which you then use to open up access to a database server, and so on. Essentially, you're going further and further into the network, looking for new targets or new vectors with which to spread the attack.

There are several techniques that can make lateral movement easier; namely, reconnaissance. Once you compromise the "patient zero" host, you can sweep the network for other hosts, as well as enumerate network protocols, ports, and logical mapping. This helps you discover where additional hosts are, and what hosts you can move to.

At a lower level, lateral movement can also refer to moving exploit code or a session into another running process. This can help you evade defensive efforts to identify and eliminate malicious processes. Migrating code to a known, existing process (e.g., explorer.exe), can also enable you to take on the features and privileges of that process.