Mitre Att&ck Matrix has defined nine techniques to cover Lateral Movement. Lateral Movement is tied three ways, in terms of being the second least complicated category.
Exploitation of Remote Services is when a threat actor exploits remote systems operating internally to move from an initially compromised system to another. The methodology of the threat actor compromising the Remote Services would be similar to that used to gain Initial Access. The only difference is that it’s from an initially compromised internal system.
Internal Spearphishing is when a threat actor launches a spearphishing attack when the threat actor is inside the organization. A phishing attack could be successful if the victim believes it’s coming from a trusted source.
Lateral Tool Transfer is when a threat actor uploads needed tools to an initially compromised device and then transfers it to the internal system the threat actor compromised.
Remote Service Session Hijacking is when a threat actor hijacks an existing session on a remote service granting the threat actor access to a system with the privileges of the compromised user.
Remote Services are when a threat actor utilizes valid accounts to get into remote services running internally through an internal system.
Replication Through Removable Media is when a threat actor loads malware onto removable media to attempt to move laterally throughout the network. The idea is that an employee would find the removable media and insert it into a system in hopes of identifying who lost their media then the malware infects the device that it’s installed on.
Software Deployment Tools is when a threat actor targets software development tools installed throughout a network to obtain remote code execution to move laterally throughout the network.
Taint Shared Content is when a threat actor embeds malware into frequently used data. The result? Whenever a user tries to use the infected data, malware will execute, granting the threat actor access to another system.
Use Alternative Authentication Material is when a threat actor executes an attack such as pass-the-hash or even generates Kerberos tickets to move laterally throughout the network.