Lateral Movement in MITRE ATT&CK — Full Technical Explanation

CyberDefender 6 mins0

1. What Is Lateral Movement?

Lateral Movement is the set of techniques adversaries use to move through a network after gaining initial access. Attackers perform lateral movement to:

  • Expand control to more valuable systems
  • Access internal services
  • Collect credentials
  • Reach domain controllers
  • Deploy malware or ransomware at scale

It is part of the post-compromise phase and typically follows Privilege Escalation and Credential Access.

In MITRE ATT&CK, lateral movement techniques fall under TA0008 – Lateral Movement.

🏗️ 2. Core Principles of Lateral Movement

2.1 Credential Reuse

Attackers harvest credentials through:

  • LSASS dumping (e.g., Mimikatz)
  • NTLM hash extraction
  • Kerberos tickets (TGTs/TGSs)

These credentials are used for:

  • SMB/WinRM login
  • RDP authentication
  • Kerberos ticket injections

2.2 Trust Exploitation

Adversaries exploit:

  • Shared admin accounts
  • Poor segmentation
  • Weak ACLs
  • Open RDP/SMB/SSH

Impersonation and delegation abuse allow movement without triggering alerts.

2.3 Remote Service Invocation

Movement often uses existing remote administration protocols:

Windows:

  • SMB (PsExec semantics)
  • WMI
  • WinRM
  • RDP
  • Distributed Component Object Model (DCOM)

Linux/UNIX:

  • SSH
  • Remote shells
  • rsync/scp

2.4 Living-off-the-Land (LotL)

Modern attackers avoid malware:

  • Using PowerShell (Invoke-Command)
  • wmic.exe for process creation
  • ssh for key-based pivoting
  • schtasks.exe for remote job creation
  • net use for remote drive mounting

This hides movement within normal administrative traffic.

🔬 3. MITRE ATT&CK Lateral Movement Techniques (TA0008)

Below is a breakdown of each high-level technique with technical details.

T1210 – Exploitation of Remote Services

Adversaries exploit vulnerabilities to access remote machines.

Examples:

  • EternalBlue (MS17-010) → SMBv1 buffer overflow
  • RCE in RDP, vCenter, Confluence, Exchange
  • CVE-based exploitation (deserialization, SSRF, RCE)

Technical artifacts:

  • RPC anomalies
  • Malformed SMB packets
  • Rapid port scanning prior to exploitation

T1021 – Remote Services

Legitimate protocols used for malicious movement.

Windows:

  • SMB/PSExec: remote service creation
  • WMI: MOF or DCOM-based execution
  • WinRM: PowerShell Remoting
  • RDP: graphical remote connection

Linux/macOS:

  • SSH: key-based or password reuse
  • Telnet: legacy plaintext credential reuse

Indicators:

  • Unusual Event ID 4624 Type 3/10 logins
  • Sudden spike in PowerShell Remoting

T1570 – Lateral Tool Transfer

Movement of tools across hosts.

Methods:

  • SMB copy (copy \\host\C$)
  • scp / sftp
  • PowerShell Base64-encoded file drop
  • Registry-based persistence via encoded payloads

Typical payloads:

  • Cobalt Strike beacons
  • Mimikatz
  • Rclone
  • Custom RAT droppers

T1046 – Network Service Discovery (pre-movement)

Attackers enumerate:

  • Open ports
  • Domain trusts
  • Network shares
  • LDAP queries for GPOs / users
  • Hosts via ARP sweep

Tools:

  • net view, arp -a
  • PowerView
  • Nmap

T1087 / T1069 – Account & Permission Enumeration

Used to identify high-value targets:

  • Domain Admins
  • Service accounts
  • Kerberos delegations

T1550 – Use of Stolen Credentials

Credential replay vectors:

  • Passing NTLM hashes (Pass-the-Hash)
  • Injecting Kerberos TGT/TGS (Pass-the-Ticket)
  • OAuth/SSO token theft (cloud lateral movement)

Key log sources:

  • 4768 / 4769 Kerberos ticket events
  • LSASS memory access attempts

T1557 – Adversary-in-the-Middle

Interception of traffic to obtain credentials:

  • NTLM relay
  • SMB relay
  • Kerberoasting

T1563 – Remote Service Session Hijacking

Hijacking active RDP or SSH sessions using:

  • Token impersonation
  • Session duplication
  • Virtual channel takeover

🧠 4. Operational Flow of Lateral Movement

Typical attacker sequence:

  1. Credential Harvesting – Dumping LSASS or capturing hashes
  2. Discovery – Mapping domain, hosts, shares
  3. Target Selection – Domain controllers, databases
  4. Credential Replay / Auth bypass
  5. Remote Execution – PSExec, PowerShell Remoting, WMI
  6. Tool Transfer – Dropping payloads or using LotL
  7. Privilege Escalation on new system
  8. Repeat until objective is achieved

🔥 5. Common Threat Actors Using Lateral Movement

APT29 (Cozy Bear)

  • Sophisticated Kerberos ticket forgery
  • Uses WMI + WinRM heavily

APT41

  • Hybrid cybercrime + espionage
  • Known for exploiting remote services

Conti / LockBit ransomware groups

  • Aggressive SMB + RDP propagation
  • Domain admin takeover within hours

🛡️ 6. Defensive Strategies

Detection

  • Logon anomalies (4624 type 3/10, 4625 failures)
  • WMI event subscriptions
  • Remote service creation (7045)
  • PowerShell logs (Script Block Logging)
  • NTLM relay detection

Prevention

  • Enforce MFA
  • Disable SMBv1
  • Segment networks
  • Limit admin account reuse
  • Implement Just-In-Time (JIT) administration

Hardening

  • LSASS protection (RunAsPPL)
  • Enable Credential Guard
  • Disable unnecessary remote services
  • Privileged Access Workstations (PAWs)

📊 7. MITRE Lateral Movement Summary Table

CyberDefender