If an attacker gains local admin on endpoint X in a corporate environment, is it safe to assume they can laterally move to any endpoint in the environment at will?
Factually speaking, the answer is, no! That scenario is only true in a minority of cases.
Here are a few common scenarios in which one can gain local admin during an attack:
Assuming an organization is following best practices, there’s only a small chance of the attacker being able to move laterally immediately/directly once gaining local admin access on endpoint X. In many cases, they would have to repeat the attack phases again (recon, exploit, persist), which is not guaranteed to be successful.
Every “hop” the attacker has to make will decrease their chances of success, while their chances of getting caught increase. Because of this, it is NOT common for an intermediate to advanced attacker to pivot to a large number of endpoints. They, instead, will minimize their movement while pursuing their goal.