Modern Lateral Movement Patterns

KeenSafe Research | Threat Research | Adversary Operations Series

---

Overview

Lateral movement remains the operational center of mass for adversary chains traversing modern enterprise environments. What has changed materially over the past several years is the character of lateral movement itself. The traditional model — adversaries executing on compromised endpoints, dumping credentials, pivoting through SMB and RDP toward domain controllers — captures a shrinking share of the patterns observed in current operations. The modern lateral movement landscape is identity-driven, API-mediated, cross-domain, and predominantly executed through legitimate protocols and tooling rather than through the explicit adversary frameworks earlier-generation detection content was tuned against.

Across the chains KeenSafe Research has analyzed during the current reporting window, lateral movement stages exhibit several consistent properties. They operate primarily through identity (rather than through network exploitation). They traverse domain boundaries (cross-tenant, cross-cloud, on-prem to cloud) in 62 percent of validated chains. They use legitimate APIs and protocols (Microsoft Graph, cloud IAM APIs, SaaS APIs) almost exclusively. And they exhibit detection efficacy at materially lower rates than initial access or credential acquisition stages — empirical detection of cross-domain lateral movement averages 34 percent across the corpus.

This research article documents modern lateral movement patterns. It analyzes the recurring patterns observed in operations, the MITRE ATT&CK mapping, the detection landscape, and the defensive countermeasures.

---

1. The Modern Lateral Movement Landscape

Structural Shifts

Three structural shifts have reshaped lateral movement:

The identity layer has replaced the network layer as the primary movement surface. Cloud workloads, SaaS platforms, and modern application architectures authorize access through identity, not network position. Adversaries reach successive systems through identity manipulation rather than through network exploitation.

API-mediated movement has displaced protocol-mediated movement. Legitimate APIs — Microsoft Graph, AWS APIs, Azure Resource Manager, GCP APIs, SaaS REST endpoints — are the predominant movement mechanism. Traditional protocols (SMB, RDP, WMI) continue to operate in environments with substantial on-prem presence but represent a shrinking share of total movement events.

Cross-domain traversal has become the norm, not the exception. The majority of chains traverse two or more of on-premises, cloud, SaaS, and CI/CD surfaces. Lateral movement is increasingly cross-domain by character.

Why the Shifts Matter for Detection

The shifts have direct detection implications. Earlier-generation detection content focused on:

• Specific tooling fingerprints (PsExec, WMIC, Mimikatz, BloodHound)
• Protocol-level signals (SMB shares, RDP connections, WMI invocations)
• Endpoint-level indicators (process trees, command-line patterns, file system artifacts)

Modern detection requires:

• API call pattern analysis across cloud control planes
• Identity-level behavior baselining
• Cross-domain correlation between authentication events across separate identity providers
• Session-level activity monitoring including token replay detection

The detection content reorientation has not completed in most enterprise programs. The efficacy gap is the consequence.

---

2. Recurring Modern Lateral Movement Patterns

Pattern 1: Token Replay Across Services

The dominant cloud-mediated lateral movement pattern. Adversary acquires a session token (through AiTM phishing, infostealer, or session theft) and replays it across multiple services within the token's authorization scope.

Operational structure:

1. Token acquisition through earlier chain stage
2. Token introspection to identify accessible services
3. Token use against successive services as separate lateral movement events
4. Continued use until token expiration or revocation

Mapped to MITRE ATT&CK: T1550.001 (Application Access Token), T1550.004 (Web Session Cookie), T1078.004 (Valid Accounts: Cloud Accounts).

Detection notes: Detection requires correlation of token use across multiple service endpoints, often within different telemetry sources. Single-service detection systems miss the pattern. Modern identity providers' Continuous Access Evaluation (CAE) and analogous mechanisms partially address the pattern by revoking tokens in response to risk signals.

Pattern 2: Federation Traversal Between Tenants

Increasingly common cross-domain pattern. Adversary holds context in a source tenant and traverses federation to a target tenant.

Operational structure:

1. Source-tenant context acquired through earlier chain stage
2. Federation path discovery through directory enumeration
3. Federation traversal under conditions the policy permits
4. Target-tenant operations under federated identity context

Mapped to ATT&CK: T1199 (Trusted Relationship), T1078.004 (Valid Accounts: Cloud Accounts), T1556.006 (MFA Modification) for federation policies with MFA exception conditions.

Detection notes: Detection across federation boundaries requires correlation between source-tenant and target-tenant authentication events. Many enterprises do not have shared telemetry across federated tenants, producing detection blind spots at the federation boundary.

Pattern 3: Application-Mediated Lateral Movement

Pattern exploiting OAuth-authorized applications as lateral movement vehicles.

Operational structure:

1. OAuth consent acquired through earlier stage
2. Application authorization scope used to reach data and services across tenants where the application is consented
3. Application identity used as the lateral movement actor

Mapped to ATT&CK: T1528 (Steal Application Access Token), T1078.004, T1199.

Detection notes: Application activity is frequently underweighted in detection content tuned predominantly against user activity. Application API call patterns require specific behavioral baselining.

Pattern 4: Service Account Pivoting

Pattern exploiting compromised service accounts as lateral movement vehicles.

Operational structure:

1. Service account compromise through Kerberoasting, embedded credential discovery, or workload compromise
2. Service account permission exercise across systems
3. Lateral movement to systems where the service account holds access
4. Credential acquisition or operations under service account context

Mapped to ATT&CK: T1078.002 (Valid Accounts: Domain), T1078.004 (Valid Accounts: Cloud), T1021 family for protocol-mediated movement to systems where the service account authenticates.

Detection notes: Service account behavioral baselines are structurally weaker than human account baselines. Detection of anomalous service account activity is one of the consistent weak points across the corpus.

Pattern 5: Hybrid Identity Pivot

Pattern exploiting hybrid identity synchronization to traverse from on-prem to cloud or vice versa.

Operational structure:

1. Identity compromise in one domain (on-prem or cloud)
2. Synchronized identity context inheritance in the other domain
3. Cross-domain operations under inherited identity

Mapped to ATT&CK: T1078 family, T1199.

Detection notes: Detection across hybrid synchronization requires correlation between on-prem and cloud authentication events, frequently in separate telemetry systems.

Pattern 6: CI/CD Pipeline Pivoting

Pattern exploiting CI/CD platforms as lateral movement vehicles into production environments.

Operational structure:

1. Developer identity or CI/CD service account compromise
2. Pipeline configuration analysis identifying deploy credentials and target environments
3. Pipeline-mediated execution against production targets
4. Production access under pipeline service account context

Mapped to ATT&CK: T1199, T1078.004, T1505.001 (Server Software Component) for specific deployment manipulation.

Detection notes: CI/CD activity is frequently outside the scope of SIEM detection content. The pattern requires specific CI/CD telemetry integration and behavioral analysis.

Pattern 7: SaaS-to-SaaS Movement

Pattern exploiting inter-application SaaS trust chains.

Operational structure:

1. Initial SaaS compromise through OAuth, credential abuse, or vendor compromise
2. Discovery of inter-application trust through OAuth configuration analysis
3. Pivot to additional SaaS platforms through trust inheritance
4. Successive pivots producing chain across multiple SaaS platforms

Mapped to ATT&CK: T1199, T1078.004, T1528.

Detection notes: SaaS-to-SaaS activity correlation is among the most underdeveloped detection surfaces. Inter-application trust chain visibility is operationally rare in most enterprises.

Pattern 8: Traditional Protocol-Mediated Movement

The traditional pattern continues to operate in environments with substantial on-prem presence:

Operational structure:

1. Initial endpoint compromise
2. Credential acquisition (T1003 family)
3. Lateral movement via SMB (T1021.002), RDP (T1021.001), WMI (T1047), or remote services
4. Successive endpoint compromise until target reached

Mapped to ATT&CK: T1021 family, T1003, T1047, T1078.002.

Detection notes: The pattern is well-served by mature EDR and traditional SIEM detection content. Detection efficacy is materially higher than for cloud-mediated patterns — averaging 63 percent across the corpus.

---

3. The Living-Off-the-Land Cloud APIs

A defining characteristic of modern lateral movement is the use of legitimate cloud and SaaS APIs as the operational substrate. Adversaries operate predominantly through:

Microsoft Graph API: enumeration of users, groups, applications, files, mail, calendar, and SharePoint content across Microsoft 365 and Entra ID. The API is rich enough to support extensive discovery, credential acquisition, and lateral movement entirely within its surface.

AWS APIs: IAM, EC2, Lambda, S3, KMS, STS, and dozens of service-specific APIs. Adversaries with valid credentials operate through standard AWS CLI, SDK, or API calls. Detection against the activity pattern is structurally similar to detecting legitimate operational activity.

Azure Resource Manager and Graph APIs: equivalent capabilities in the Azure ecosystem. Adversaries enumerate, manipulate, and exfiltrate through standard APIs.

GCP APIs: equivalent capabilities in GCP. Service account impersonation primitives, particularly, provide privilege escalation and lateral movement.

SaaS APIs: Salesforce REST API, ServiceNow API, Workday API, Microsoft Teams Graph API, and SaaS-specific endpoints. Adversaries operate against the published APIs that legitimate integrations use.

The implications for detection are direct. API call patterns rather than tooling fingerprints are the signal. Behavioral baselines for legitimate API use are necessary to distinguish adversary activity. The detection content reorientation toward API-centric analysis is the operational direction.

---

4. Operational Chain Example

A representative chain demonstrating multiple modern lateral movement patterns:

Stage 1 — Initial Access (T1566.002 + T1557). AiTM phishing of a finance department user produces post-MFA session token capture.

Stage 2 — Token Replay (T1550.004, Pattern 1). Captured session token replayed against Microsoft 365. Adversary holds authenticated context.

Stage 3 — Discovery (T1087.004). Tenant enumeration via Microsoft Graph reveals the user's group memberships, OAuth grants, and accessible resources.

Stage 4 — Application-Mediated Movement (Pattern 3). Discovery reveals an OAuth-consented analytics application with permissions to SharePoint and OneDrive. Adversary uses the application's authorization scope to access operational documentation.

Stage 5 — Credential Discovery (T1552.001). Documentation contains embedded credentials for a service principal with Azure permissions.

Stage 6 — Service Account Pivot (Pattern 4). Service principal credential validated. Authentication context established in Azure.

Stage 7 — Federation Traversal (Pattern 2). Service principal's permissions include federation traversal to an acquired-entity tenant. Adversary traverses federation.

Stage 8 — Hybrid Identity Pivot (Pattern 5). In the acquired tenant, the federated identity inherits permissions on an on-prem-synchronized account. Adversary uses the inherited context to reach on-prem resources.

Stage 9 — Kerberoasting (T1558.003). On-prem foothold enables SPN enumeration. Service account ticket cracked offline.

Stage 10 — Traditional Protocol Movement (Pattern 8). Cracked service account credentials used for SMB-mediated lateral movement to a database server.

Stage 11 — Crown-Jewel Access (T1213). Database server hosts customer financial data. Chain complete.

The chain composed eleven techniques and exhibited five distinct lateral movement patterns. The cross-domain character is characteristic of modern chains. No single defensive control would have severed the chain; multiple intervention points existed but were not exercised.

---

5. Detection Landscape

Detection Surfaces

The following detection surfaces produce lateral movement signals across the dominant patterns:

• Identity provider authentication telemetry: sign-in events, conditional access decisions, risk evaluation outputs
• Cloud API audit logs: AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs, Microsoft 365 audit logs
• SaaS audit logs: platform-specific audit logs from major SaaS providers
• EDR endpoint telemetry: process execution, credential access, network connections from monitored endpoints
• Network telemetry: SMB, RDP, and similar protocol activity for traditional patterns
• CI/CD platform audit logs: pipeline execution, credential use, deployment events

Cross-Surface Correlation Requirement

Modern lateral movement detection requires correlation across these surfaces. A chain that traverses Entra ID → Azure → on-prem AD → database server produces telemetry in at least four separate log sources. Detection rules operating within any single source see only fragments.

The correlation challenge is one of the most consistent gaps observed across the corpus. Even environments with mature SIEM deployment and substantial detection content frequently lack effective cross-surface correlation.

Empirical Detection Efficacy by Pattern

Across the corpus, empirical detection efficacy varies materially by pattern:

• Traditional Protocol-Mediated Movement (Pattern 8): 63 percent — well-served by mature EDR and SIEM content
• Token Replay (Pattern 1): 41 percent — depends on session anomaly detection maturity
• Service Account Pivoting (Pattern 4): 34 percent — behavioral baseline asymmetry produces gaps
• Hybrid Identity Pivot (Pattern 5): 32 percent — cross-domain correlation gap
• Federation Traversal (Pattern 2): 28 percent — federation detection is operationally rare
• Application-Mediated Movement (Pattern 3): 26 percent — application activity underweighted
• SaaS-to-SaaS Movement (Pattern 7): 19 percent — inter-application correlation is rare
• CI/CD Pipeline Pivoting (Pattern 6): 23 percent — CI/CD telemetry frequently outside SIEM scope

The pattern is clear. Detection efficacy is highest for the traditional pattern that earlier-generation detection content was tuned against. Detection efficacy is materially lower for the modern patterns that dominate current adversary operations.

---

6. Defensive Countermeasures

Detection Content Reorientation

The foundational defensive response is reorientation of detection content toward modern patterns:

• API call pattern analysis across cloud control planes
• Token replay detection through session anomaly correlation
• Federation event monitoring with cross-tenant correlation
• Application activity baselining and anomaly detection
• Service account behavioral monitoring tuned to service account characteristics
• CI/CD audit log ingestion and correlation

Cross-Surface Correlation Infrastructure

Investment in cross-surface correlation infrastructure:

• Common identifier mapping across identity providers (linking on-prem AD, Entra ID, Okta, cloud IAM, SaaS identities)
• Unified telemetry repositories supporting correlation queries
• Threat hunting hypotheses derived from validated chains
• Continuous validation evidence as detection engineering input

Session Binding and Continuous Access Evaluation

Session-level defensive mechanisms:

• Token binding mechanisms limiting session token portability
• Continuous Access Evaluation (CAE) revoking sessions on risk signals
• Conditional access in-session policies re-evaluating session state continuously
• Device-bound credentials and FIDO2 deployment for phishing-resistant authentication

Identity Boundary Hardening

Hardening of identity boundaries between domains:

• Federation policy rationalization
• Cross-tenant trust review and reduction
• Hybrid synchronization scope hardening
• Inter-application OAuth consent governance

Service Account Governance

Service account governance as documented in companion research:

• Managed identity migration (gMSA, workload identity federation)
• Service account behavioral baselining
• Permission rationalization with chain-aware prioritization
• Lifecycle discipline

Continuous Validation

Continuous attack path validation surfaces lateral movement patterns end-to-end:

• Chain visibility across the patterns documented above
• Cross-surface correlation as a primary platform capability
• Detection efficacy measurement as validation output
• Empirical re-validation of remediation actions

---

7. Enterprise Implications

Detection Content Must Match the Threat Landscape

Detection content tuned against traditional patterns captures a shrinking share of modern operations. Programs that have not reoriented detection content are operating with detection efficacy materially lower than they likely assume.

Cross-Surface Correlation is the Strategic Investment

The single most valuable strategic detection investment is cross-surface correlation infrastructure. The infrastructure enables effective detection of the dominant modern lateral movement patterns.

Identity is the Operational Substrate

Identity is the substrate of modern lateral movement. Defensive investment should follow the substrate — identity governance, identity behavioral analysis, and identity boundary hardening produce the most leverage.

Cloud API Activity is the Detection Frontier

Cloud API activity is the detection frontier. The detection content reorientation toward API-centric analysis is operationally necessary.

Continuous Validation Surfaces What Detection Misses

Continuous validation surfaces lateral movement chains that detection misses. The validation evidence supports detection engineering reorientation by identifying specific gaps and prioritizing investment.

Traditional Patterns Remain Operationally Significant

Traditional protocol-mediated lateral movement continues to operate in environments with on-prem presence. Mature defensive disciplines against traditional patterns remain necessary — but should not consume disproportionate share of defensive investment relative to the modern patterns that dominate current operations.

---

8. Strategic Insights

Insight 1: The lateral movement landscape has structurally shifted. The shift is not a refinement of earlier patterns; it is a categorical change in operational substrate.

Insight 2: Detection efficacy lags the shift. Programs that have not reoriented detection content are operating with detection efficacy materially lower than they assume.

Insight 3: Cross-surface correlation is the strategic detection investment. Single-surface detection systematically misses the dominant cross-domain patterns.

Insight 4: API-centric detection is the operational frontier. Detection content tuned against tooling fingerprints captures a shrinking share of operations.

Insight 5: Identity is the substrate, not the artifact. Identity is what authorizes lateral movement in modern environments. Defensive investment should follow.

Insight 6: Continuous validation surfaces chains detection misses. The validation evidence is the input that supports detection engineering reorientation.

---

Conclusion

Modern lateral movement patterns are identity-driven, API-mediated, cross-domain, and predominantly executed through legitimate protocols and tooling. The structural shift from traditional protocol-mediated movement to modern identity-mediated movement is complete in cloud-native environments and substantial in hybrid environments.

Defensive response operates across detection content reorientation, cross-surface correlation infrastructure, session binding and continuous access evaluation, identity boundary hardening, service account governance, and continuous validation. The combination produces meaningful detection capability against the dominant modern patterns. Programs that have not made the transition operate with detection efficacy materially below their nominal capability.

KeenSafe Research will continue to publish updated intelligence on adversary operational tradecraft. Companion research in this series addresses adjacent topics: identity attack chains, AiTM phishing, OAuth abuse, Kerberoasting, service account abuse, privilege escalation through identity misconfiguration, and cloud metadata exploitation.

---

KeenSafe Research is the threat intelligence and offensive security research arm of KeenSafe, an AI-powered attack path validation platform for continuous offensive security validation across hybrid enterprise infrastructure.