Lateral Movement
ID: S1008
Description: Lateral movement is the process of an attacker moving from one system to another within a network after they have gained initial access to a system. This can be done through a variety of methods, such as exploiting vulnerabilities in software, using stolen credentials, installing their own remote access tools, or using native system utilities.
Are there any new accounts that have been created? F1021
- Q1058 What domain accounts have been created?
- Q1059 What local accounts have been created?
Are the indications of an attacker moving FROM this host to another? F1027
Once an attacker has access to a system, they may want to use it to pivot to a different system. This movement, from a source host to a destination host, leaves traces on both the source and destination hosts. A given system may be both the source and destination of lateral movement at different times. This facet examines a host for indications it was the source host, meaning an attacker moved FROM it to a different destination system.
Are the indications of an attacker moving TO this host? F1028
Once an attacker has access to a system, they may want to use it to pivot to a different system. This movement, from a source host to a destination host, leaves traces on both the source and destination hosts. A given system may be both the source and destination of lateral movement at different times. This facet examines a host for indications it was the destination host, meaning an attacker moved TO it from a different system.