Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0008: Lateral Movement

The adversary is trying to move through your environment.

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target, then pivoting through multiple systems and accounts to gain access to it. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

EnterpriseTA0008TacticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Lateral Movement matters because it is the point where an intrusion can stop being a single compromised system and become an enterprise incident. The ATT&CK tactic describes adversaries entering and controlling remote systems, often by pivoting through multiple systems and accounts using either remote access tools or legitimate credentials and native tools. For leaders, the practical question is whether the organization can see, contain, and explain movement between systems before the adversary reaches higher-value targets.

Executive priority

Treat this as a resilience and incident-readiness priority, not only a detection problem. Executives should ask whether identity controls, network segmentation, endpoint visibility, and incident response procedures are strong enough to limit an adversary who already has some access. Because the object does not specify platforms or detection guidance, local risk decisions should be based on which critical systems, privileged accounts, and remote administration paths would enable business disruption if abused.

Technical view

SOC, detection, and IR teams should validate whether they can reconstruct movement across systems and accounts. The core defensive need is correlation: account use, remote sessions, endpoint activity, and network paths must be linkable during an investigation. Since the ATT&CK object notes both adversary-installed remote access tools and legitimate credentials with native network or operating system tools, coverage should include both suspicious tooling and abuse of normal administrative behavior. No platform-specific assumptions should be made from this object alone.

Likely telemetry

  • Authentication and account logon records across systems
  • Remote access and remote session records
  • Endpoint process execution and service activity
  • Network connection and flow records between internal systems
  • Credential and privileged account usage evidence

Detection direction

  • Validate whether alerts can identify unusual system-to-system access patterns rather than only malware signatures.
  • Correlate account activity with host and network telemetry to distinguish routine administration from unexpected pivots.
  • Review false positives from legitimate IT operations, especially native operating system and network tools used for administration.
  • Check for blind spots where remote access, internal network traffic, or endpoint activity is not logged consistently.
  • Because no official detection text or platform scope is provided, tune detections against local baselines and critical asset paths.

Mitigation priorities

  • Prioritize least privilege and strong governance for accounts that can access multiple systems.
  • Segment access to critical systems so compromise of one host or account does not automatically enable broad movement.
  • Harden and monitor approved remote administration mechanisms.
  • Ensure endpoint, identity, and network logs are retained and correlated for incident response.
  • Exercise IR playbooks for containment of compromised accounts and remote system access.
Analyst notes and limits

This take is based on ATT&CK tactic TA0008, Lateral Movement, in the enterprise domain. The supplied object is high-level and has no relationship context, platforms, or official detection text, so the defensive value comes from translating the tactic description into validation questions for identity, SOC, IR, and network control coverage.

The supplied ATT&CK fields do not identify specific techniques, platforms, procedures, adversary groups, software, mitigations, or detections. Any assessment of exposure, detection coverage, or control effectiveness requires local environment data and technique-level mapping.

Official MITRE ATT&CK definition

Lateral Movement

The adversary is trying to move through your environment.

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target, then pivoting through multiple systems and accounts to gain access to it. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
08ed439673e07a75...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 08ed439673e0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0008
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use