ICS Lateral Movement consists of techniques adversaries use to pivot between systems in an ICS environment. This includes exploiting default and hardcoded credentials common in ICS devices, leveraging remote services like RDP and VNC, transferring tools between compromised systems, and using legitimate ICS protocols for program downloads to move between controllers.
Tactic Overview
Tactic ID: TA0109 — Matrix: ICS — Techniques: 7
The Lateral Movement tactic represents a phase in the adversary lifecycle where the adversary is trying to move through your ICS environment. This tactic is part of the MITRE ATT&CK ICS matrix and encompasses 7 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (7)
The following techniques are categorized under the Lateral Movement tactic in the MITRE ATT&CK ICS matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T0812 | Default Credentials | Adversaries use default manufacturer credentials that have not been changed to access ICS devices and systems. | T0812 |
T0866 | Exploitation of Remote Services | Adversaries exploit vulnerabilities in remote services used in ICS environments to gain access to control systems. | T0866 |
T0891 | Hardcoded Credentials | Adversaries exploit hardcoded credentials in ICS devices and firmware that cannot be changed by the operator. | T0891 |
T0867 | Lateral Tool Transfer | Adversaries transfer tools between systems within the ICS environment to support further operations. | T0867 |
T0843 | Program Download | Adversaries download programs or logic to controllers using legitimate ICS protocols to modify control system behavior. | T0843 |
T0886 | Remote Services | Adversaries use ICS remote services including RDP, VNC, and vendor-specific protocols for lateral movement. | T0886 |
T0859 | Valid Accounts | Adversaries use legitimate credentials to access ICS systems, often leveraging shared or default accounts common in OT environments. | T0859 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Change default credentials
- Network segmentation
- Multi-factor authentication
- Limit remote service access
- Monitor for anomalous ICS protocol traffic
Detection Strategies
Effective detection of Lateral Movement techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Lateral Movement tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Lateral Movement Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026