Attack Lifecycle · Stage 4 of 7
Stage 4: Lateral Movement
May 2026 · 8 min read · MITRE ATT&CK · Pivoting · Pass-the-Hash · Remote Services
Stage 4 of the cyberattack lifecycle: Lateral Movement. With valid credentials in hand, the attacker moves from system to system — expanding their foothold while blending in with legitimate network traffic.
Attacker Goal
Move through the network to access additional systems, expand privileges, and reach high-value targets.
MITRE ATT&CK Techniques
T1021T1075T1076T1091T1210T1550
Stage Description
With valid credentials in hand, the attacker moves from system to system — expanding their foothold while blending in with legitimate network traffic.
Common Entry Vectors
- Remote Desktop Protocol (RDP) to access other systems
- Pass-the-Hash to authenticate without knowing the password
- SMB file sharing to move between Windows systems
- SSH for lateral movement in Linux environments
- Exploitation of trust relationships between systems
Typical Attacker Actions
- Uses stolen credentials to log into other systems via RDP or SSH
- Passes hashed passwords to authenticate without cracking them
- Moves through file shares to access sensitive data
- Pivots through compromised systems as stepping stones
- Establishes persistence on each new system reached
✓ Purim NetGo Detection & Response
- Honeypot workstations and servers that attract lateral movers
- Decoy RDP and SSH endpoints that alert on connection
- Fake file shares with canary documents that trigger on access
- Real-time alerts with full session details when decoys are touched
- Tango Dance behavioral fingerprinting to track movement patterns
What Purim NetGo Delivers at This Stage
- Movement Detection — catch attackers mid-pivot
- Path Mapping — understand exactly how attackers are moving
- Session Intelligence — capture full connection details
- Behavioral Analysis — identify anomalous access patterns
- Rapid Response — alert before the attacker reaches their target
See It In Action
Get a real simulated attack alert sent to your inbox — experience deception security firsthand.
Launch Free Test Drive
