Overview of MITRE ATT&CK Tactic: TA0008 - Lateral Movement

Introduction

This article focuses on focus on the Lateral Movement tactic, and the techniques adversaries use to move across the network by remotely accessing systems. Lateral Movement is a crucial tactic in which adversaries expand their foothold from one compromised system to another within the network. They commonly use compromised accounts to access remote machines, applications, or services across the network. During this phase, adversaries may collect sensitive information, transfer or stage tools to facilitate additional compromise, pivot deeper into the environment, and interact with shared drives. They may also plant malicious files or modify shared content, which harms or compromises another system when legitimate users unknowingly open or execute the tainted data. Lateral Movement enables adversaries to position themselves closer to their ultimate objective while maintaining persistence across multiple hosts.

Techniques and Sub-Techniques

T1210 - Exploitation of Remote Services

In this technique, adversaries exploit vulnerabilities in services running on a compromised system such as SMB, RDP, MySQL, web servers, VMWare, and vCenter to gain access to additional systems or sensitive resources. They leverage flaws like unpatched software and misconfigurations to move laterally across the network.

T1534 - Internal Spear phishing

Adversaries conduct phishing activities from legitimate user accounts, such as sending emails or messages with malicious attachments or links that redirect users to fake login pages. They target other internal users to steal sensitive information or trick them into revealing their credentials.

T1570 - Lateral Tool Transfer

Adversaries copy tools or files from one compromised system to another within the network to execute further malicious actions. They use in-built protocols and utilities such as SMB, Windows Admin Shares, scp, rsync, ftp, and sftp to seamlessly transfer files across internal systems.

T1563 - Remote Service Session Hijacking

In this technique, adversaries attempt to hijack active remote sessions such as SSH or RDP to move laterally and perform malicious actions on remote systems. Instead of logging in themselves, they take control of active sessions that legitimate users have established.

T1563.001: SSH Hijacking
Adversaries hijack an active Secure Shell (SSH) session established by a legitimate user. This hijack is typically performed by compromising the SSH agent or its associated socket. SSH is commonly used on Linux and MacOS systems.

T1563.002: RDP Hijacking
Here, an adversary hijacks an active Remote Desktop (RDP) session. They use Terminal Services Control to capture the session number and take over the session without prompting the legitimate user.

T1021 - Remote Services

Adversaries leverage valid user accounts to establish remote sessions to other systems using services like SSH, RDP, VNC, and others. After compromising the user account, they use the account to authenticate and perform actions on remote systems, enabling lateral movement across the network.

T1021.001 - RDP
Adversaries use compromised user accounts to log into systems via Remote Desktop Protocol (RDP). RDP provides interactive sessions, allowing attackers to access sensitive information and perform malicious actions on the remote system.

T1021.002 - SMB/Windows Admin Share
Adversaries use valid accounts to access remote network shares via the SMB protocol. They can steal sensitive information from shared drives and may also upload or place malicious content.

T1021.003 - Distributed Component Object Model
Adversaries use valid accounts to remotely interact with Windows systems through Distributed Component Object Model (DCOM). With administrator‑level credentials, attackers can abuse DCOM to remotely activate and execute COM objects on target machines. This enables them to run commands, launch applications, and perform other malicious actions.

T1021.004 - SSH
Secure Shell (SSH) is a service available on Linux, macOS, and ESXi systems to connect to remote machines. Attackers use valid accounts to access these systems and execute commands remotely using SSH. These credentials may include valid user passwords or compromised public‑private key pairs stored in authorized key files.

T1021.005 - VNC
Virtual Network Computing (VNC) allows screen sharing and remote control of another computer’s keyboard and mouse. It is a platform‑independent remote access service that attackers can abuse using compromised accounts to control other systems and perform malicious actions.

T1021.006 - Windows Remote Management
Adversaries use compromised accounts to remotely access other machines and perform malicious actions such as executing commands, modifying the registry, and managing services using Windows Remote Management (WinRM).

T1021.007 - Cloud Services
Adversaries use valid accounts that are synchronized or federated with on-premises identities to access cloud services and perform management tasks. They may connect to these services through the cloud web console, command-line interfaces (CLI), or cloud-specific PowerShell modules.

T1021.008 - Direct Cloud VM connections
Adversaries may use compromised accounts to directly access and manage cloud-hosted virtual machines through the cloud provider’s management console. With valid credentials, they can initiate remote sessions, modify VM configurations, and deploy malicious tools.

T1091 - Replication through Removable Media

Adversaries use removable media such as USB drives or mobile devices to spread malware or malicious files to systems, mainly for those that have limited or no network connectivity. They may tamper with or rename executable files to be genuine, which are already present in the media and trick users into executing them on their systems.

T1072 - Software Deployment Tools

Here, attackers target centralized configuration management and software deployment tools such as SCCM, Intune, and AWS Systems Manager and others because these tools are connected to many systems across the enterprise, making it easier to execute malicious code and compromise multiple machines within the network.

T1080 - Taint Shared Content

Adversaries take advantage of shared locations such as network drives or internal repositories to insert malicious scripts or embed harmful code within legitimate files. When other users access or execute the tainted content, their systems can become compromised, enabling the attacker to spread laterally across the network.

T1550 - Use Alternate Authentication Material

Alternate authentication materials are generated by systems after a user successfully authenticates, and they are used for future access without requiring the user to repeatedly enter their username and password. These materials include NTLM hashes, Kerberos tickets, access tokens, and session cookies. Adversaries can abuse these materials to access other applications or sensitive systems, effectively bypassing normal authentication processes, and maintain long-term access using these materials.

T1550.001 - Application Access Token
Adversaries use stolen Application Access Tokens to make authorized API calls without repeatedly providing the credentials. Using these tokens, attackers can access cloud resources, SaaS and container-based applications.

T1550.002 - Pass the Hash
Pass the Hash (PtH) is a technique in which an attacker uses stolen password hashes to authenticate without needing the user’s actual plaintext password. These hashes are typically stolen using credential theft techniques.

T1550.003 - Pass the Ticket
Pass the Ticket (PtT) is a technique where adversaries use stolen Kerberos tickets to authenticate systems without the actual user’s password. Attackers commonly use the OS Credential Dumping technique to steal these tickets.

T1550.004 - Web Session Cookie
Adversaries use stolen web session cookies to access web applications. After a legitimate user logs in to a web application, an attacker may steal the session cookie and reuse it in another browser as long as the user’s session remains active. These cookies are often obtained through Steal Web Session Cookie techniques.

How F5 can help?

F5 products like BIG-IP, Distributed Cloud and NGINX empower organizations in preventing Lateral Movement by securing user sessions and mitigating risks like session hijacking or cookie reuse attacks. They also provide strong defense mechanisms to prevent user account compromise - which is the primary step adversaries use to initiate lateral movement. F5 offers deep visibility and real-time monitoring of system performance, application traffic, and network behavior, enabling rapid detection of anomalies and potential attacker activity.

For more information, please contact your local F5 sales team.

Conclusion

By understanding the MITRE ATT&CK Lateral Movement tactic and the techniques associated with it, organizations can implement proactive security measures such as enforcing MFA, segmenting internal networks, applying least-privilege access controls, cookie tamper protection and continuously monitoring network and user behavior. These defenses significantly reduce an attacker’s ability to move within the environment, limit potential damage, and strengthen the organization’s overall security posture and resilience.