TA0033: Lateral Movement
The adversary is trying to move through your environment.
Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.
Analyst context for executives and security teams
Lateral Movement matters because it is the point where an intrusion may stop being isolated to one device or account and become an environment-wide incident. In the mobile ATT&CK context, the supplied object is broad: adversaries are trying to move through the environment by accessing or controlling remote systems on a network, and this may not require deploying extra tools.
Executive priority
Treat this as a resilience and incident-scope question: if one managed asset or identity is compromised, can the organization prove where else it connected, what it accessed, and whether remote control occurred? Budget and control decisions should prioritize visibility across network paths, identity/session activity, managed device inventory, and incident response processes that can quickly determine blast radius. Because ATT&CK provides no platform, detection, or relationship detail for this tactic here, leaders should require local validation rather than assuming existing tools cover it.
Technical view
SOC, detection, and IR teams should validate whether they can observe access and control attempts between systems, not only tool execution. Since the official detection field is not provided and no technique relationships are supplied, coverage should be mapped locally to the specific remote-access methods, authentication flows, device-management paths, and network segments in use. Detection logic should distinguish expected administrative or management activity from unusual peer-to-peer, cross-segment, or identity-driven access patterns.
Likely telemetry
- Network connection metadata between managed assets and remote systems
- Authentication, session, and account-use logs where available
- MDM/UEM or managed-device inventory and compliance state
- Endpoint or mobile security telemetry where deployed
- Remote administration, service access, or management-plane audit logs
Detection direction
- Confirm telemetry exists before writing detections; the ATT&CK object provides no official detection guidance.
- Baseline normal remote access and administration patterns, then tune for unusual destinations, timing, accounts, or cross-environment movement.
- Correlate network activity with identity/session logs and device inventory to avoid treating isolated connection events as confirmed compromise.
- Account for false positives from legitimate IT operations, device management, troubleshooting, and automated services.
- Do not assume coverage for specific mobile platforms or techniques; none are specified in the supplied ATT&CK fields.
Mitigation priorities
- Prioritize asset and identity inventory so responders can determine what a compromised system or account could reach.
- Limit unnecessary remote access paths and enforce least privilege for accounts and management functions.
- Use segmentation or access controls to reduce easy movement between systems where business operations allow.
- Ensure logging and retention support incident reconstruction of source, destination, account, and action.
- Exercise IR playbooks for blast-radius analysis after a suspected compromise.
Analyst notes and limits
This is a tactic-level object, not a technique. Its value is in prompting coverage validation: can the organization see and contain movement across its environment if an initial compromise occurs? The absence of relationships means defenders must map this tactic to local systems, access methods, and operational workflows.
The supplied ATT&CK fields include no platforms, no official detection text, and no relationship context. This take therefore avoids platform-specific claims, technique-specific procedures, attribution, active exploitation claims, or guarantees of detection coverage. Local architecture and telemetry are required to make this actionable.
Lateral Movement
The adversary is trying to move through your environment.
Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 66cce06e375a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack TA0033Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.