Lateral Movement

The adversary is trying to move through your environment.

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.


Techniques: 3
ID Name Description
VT0026 Exploitation of Remote Services Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
VT0025 Remote Service Session Hijacking Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.
.001 SSH Hijacking Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux, macOS and Windows 10 systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
VT0020 Remote Services Adversaries may use Valid Accounts to log into a service designed to accept remote connections, such as SSH, telnet, and VNC and perform actions as the logged-on user and its permissions.
.001 SSH Adversaries may use "living-off-the-land" approach and utilize Secure Shell (SSH) that is typically preinstalled on the victims' machines in order to perform Lateral Movement to other targets and to maintain External Remote Service.



Created: 26 November 2020

Last Modified: 26 November 2020