Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.
Tactic Overview
Tactic ID: TA0008 — Matrix: Enterprise — Techniques: 9
The Lateral Movement tactic represents a phase in the adversary lifecycle where the adversary is trying to move through your environment. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 9 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (9)
The following techniques are categorized under the Lateral Movement tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1210 | Exploitation of Remote Services | Adversaries exploit vulnerabilities in remote services (SMB, RDP, SSH) to move laterally through the network. | T1210 |
T1534 | Internal Spearphishing | Adversaries send phishing messages within the internal network using compromised accounts to move laterally to additional systems. | T1534 |
T1570 | Lateral Tool Transfer | Adversaries transfer tools and files between systems within a compromised environment using internal protocols. | T1570 |
T1563 | Remote Service Session Hijacking (2 sub-techniques) | Adversaries hijack existing remote sessions (SSH, RDP) to move laterally without needing to authenticate. | T1563 |
T1021 | Remote Services (8 sub-techniques) | Adversaries use valid accounts to access remote services including RDP, SMB, SSH, VNC, WinRM, and cloud services for lateral movement. Contains 8 sub-techniques covering major remote access protocols. | T1021 |
T1091 | Replication Through Removable Media | Adversaries move onto systems by copying malware to removable media like USB drives that are then inserted into air-gapped or disconnected networks. | T1091 |
T1072 | Software Deployment Tools | Adversaries abuse enterprise software deployment tools like SCCM, Altiris, or Ansible to execute code across an environment. | T1072 |
T1080 | Taint Shared Content | Adversaries add malicious content to network shared drives to infect other users who access the shared resources. | T1080 |
T1550 | Use Alternate Authentication Material (4 sub-techniques) | Adversaries use stolen authentication material (hashes, tickets, tokens, cookies) to authenticate without knowing credentials. Includes Pass the Hash, Pass the Ticket, and web session cookies. | T1550 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Network segmentation
- Privileged access management
- Multi-factor authentication
- Disable unnecessary remote services
- Monitor lateral movement indicators
Detection Strategies
Effective detection of Lateral Movement techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Lateral Movement tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Lateral Movement Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026