TA0109: Lateral Movement
The adversary is trying to move through your ICS environment.
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. These techniques abuse default credentials, known accounts, and vulnerable services, and may also leverage dual-homed devices and systems that reside on both the IT and OT networks. The adversary uses these techniques to pivot to their next point in the environment, positioning themselves to where they want to be or think they should be. Following through on their primary objective often requires Discovery of the network and Collection to develop awareness of unique ICS devices and processes, in order to find their target and subsequently gain access to it. Reaching this objective often involves pivoting through multiple systems, devices, and accounts. Adversaries may install their own remote tools to accomplish Lateral Movement or leverage default tools, programs, and manufacturer set or other legitimate credentials native to the network, which may be stealthier.
Analyst context for executives and security teams
In ICS environments, lateral movement is the point where an intrusion can turn from an isolated system issue into an operational resilience problem. The ATT&CK object highlights adversaries moving across remote systems using default credentials, known accounts, vulnerable services, dual-homed IT/OT systems, and legitimate tools or credentials. For leaders, the practical question is whether the organization can see and control movement between IT and OT before an adversary reaches systems tied to industrial processes.
Executive priority
Treat this as a control-validation priority for segmentation, identity hygiene, remote access governance, and incident response readiness across ICS environments. Budget and audit discussions should focus on whether default or shared credentials are eliminated, whether dual-homed systems are known and justified, whether vulnerable services are prioritized in OT risk management, and whether SOC/IR teams have enough evidence to reconstruct pivots across multiple systems, devices, and accounts.
Technical view
Because no official detection guidance is provided for this tactic, defenders should validate coverage against the behaviors described in the ATT&CK text: use of default credentials, known accounts, vulnerable services, dual-homed IT/OT systems, remote tools, native tools, and legitimate manufacturer or local credentials. SOC and IR teams should confirm they can correlate authentication, network path, asset role, and remote access activity across IT and OT boundaries, especially following Discovery and Collection activity that may precede movement toward ICS targets.
Likely telemetry
- Authentication logs for known, shared, default, service, and manufacturer-associated accounts where available
- Remote access and remote administration activity logs from systems used to reach ICS environments
- Network flow or session metadata showing movement between IT and OT networks and within OT segments
- Asset inventory and network mapping data identifying dual-homed systems and systems bridging IT and OT
- Service exposure and vulnerability management data for remotely reachable services
Detection direction
- Baseline normal remote access paths into and within the ICS environment, then investigate deviations involving new source systems, unusual account use, or unexpected cross-zone connections.
- Correlate Discovery and Collection indicators with subsequent remote access or authentication events, since the ATT&CK description notes these often support movement toward an ICS target.
- Prioritize visibility on dual-homed systems and systems that reside on both IT and OT networks, as these can become high-value pivot points.
- Tune detections to distinguish approved maintenance, manufacturer support, and administrative activity from unusual timing, source, destination, or credential patterns.
- Account for blind spots where ICS assets lack endpoint logging, where legacy systems cannot run agents, or where legitimate credentials make activity appear normal.
Mitigation priorities
- Inventory and justify IT/OT interconnections, dual-homed systems, and remote access paths before investing in more complex detection logic.
- Reduce credential risk by removing default credentials where possible, governing known/shared/manufacturer credentials, and limiting account reach across ICS systems.
- Prioritize remediation or compensating controls for vulnerable services that are reachable from adjacent systems or IT/OT boundary points.
- Segment and restrict remote access paths so that movement requires controlled, monitored, and auditable transitions between zones.
- Harden and monitor systems used for administration, maintenance, and vendor access because legitimate tools and credentials may be used for stealthier movement.
Analyst notes and limits
This is an ICS ATT&CK tactic, not a specific technique. The object provides strategic behavior and examples of enabling conditions, but no platform list, no official detection text, and no relationship context. Use it as a planning and validation lens for ICS lateral movement coverage rather than as a standalone analytic.
Assessment must be completed with local architecture, asset inventory, identity data, remote access design, and logging reality. The supplied ATT&CK fields do not identify specific affected platforms, tools, procedures, actors, campaigns, or active exploitation.
Lateral Movement
The adversary is trying to move through your ICS environment.
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. These techniques abuse default credentials, known accounts, and vulnerable services, and may also leverage dual-homed devices and systems that reside on both the IT and OT networks. The adversary uses these techniques to pivot to their next point in the environment, positioning themselves to where they want to be or think they should be. Following through on their primary objective often requires Discovery of the network and Collection to develop awareness of unique ICS devices and processes, in order to find their target and subsequently gain access to it. Reaching this objective often involves pivoting through multiple systems, devices, and accounts. Adversaries may install their own remote tools to accomplish Lateral Movement or leverage default tools, programs, and manufacturer set or other legitimate credentials native to the network, which may be stealthier.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 044636ffcd4b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack TA0109Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.