We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Mapping To Lateral Movement

When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK activity, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness. The following table outlines the Adversary Vulnerabilities and Engagement Activities that are available to the defender when the adversary engages in Lateral Movement behaviors.

Details
ATT&CK ID: TA0008

ATT&CK® Technique Adversary Vulnerability Engagement Activity Engagement Activity Description
Remote Services When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Monitoring Monitor network traffic in order to detect adversary activity.
Remote Services When adversaries use previously stolen information to access or move laterally within an environment, they may reveal previous collection activities. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Services When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Services When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Application Diversity Present the adversary with a variety of installed applications and services.
Remote Services When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Software Deployment Tools When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Software Deployment Tools When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Software Deployment Tools When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Software Deployment Tools When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Software Deployment Tools When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Application Diversity Present the adversary with a variety of installed applications and services.
Taint Shared Content When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Taint Shared Content When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Taint Shared Content When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Taint Shared Content When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Taint Shared Content When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Taint Shared Content When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Taint Shared Content When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Information Manipulation Conceal and reveal both facts and fictions to support a deception story
Replication Through Removable Media When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. System Activity Monitoring Collect system activity logs that can reveal adversary activity.
Replication Through Removable Media When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.
Replication Through Removable Media When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Replication Through Removable Media When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. API Monitoring Monitor local APIs that might be used by adversary tools and activity.
Replication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Peripheral Management Manage peripheral devices used on systems within the network for engagement purposes.
Replication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Replication Through Removable Media When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network. Isolation Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Replication Through Removable Media When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation of Remote Services When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Exploitation of Remote Services When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation of Remote Services When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Exploitation of Remote Services When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities. Application Diversity Present the adversary with a variety of installed applications and services.
Use Alternate Authentication Material When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Use Alternate Authentication Material When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Remote Service Session Hijacking When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Service Session Hijacking When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse. Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
Remote Service Session Hijacking When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable. Security Controls Alter security controls to make the system more or less vulnerable to attack.
Remote Service Session Hijacking When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource. Decoy Artifacts and Systems Introduce impersonations to expand the scope of a deceptive story.
Remote Service Session Hijacking When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Lateral Tool Transfer When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior. Network Monitoring Monitor network traffic in order to detect adversary activity.
Lateral Tool Transfer When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc. Network Manipulation Make changes to network properties and functions to achieve a desired effect.
Stay tuned for more mappings with this tactic.