Lateral Movement - TA0008
Lateral Movement - TA0008
EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog
3. Research and emulation of Linux threats
3. Research and emulation of Linux threats
Objective:
Move across systems or networks to reach additional targets. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
-
ID: TA0008
Linux Context:
SSH is the linchpin of lateral movement on Linux, using stolen keys or passwords
ssh user@target -i key). Tools likescp, rsync, orsftptransfer files between hosts, while misconfigured services (e.g., Samba, NFS) offer exploitable paths. In cloud setups, attackers pivot via Kubernetes pod-to-pod communication or IAM role abuse. Advanced techniques include SSH tunneling or exploiting vulnerabilities. Ansible or Puppet misconfigurations may also enable mass execution.
Key Techniques:
Remote Services (T1021): SSH-based pivoting.
Exploitation of Remote Services (T1210): Attacking unpatched services.
Internal Spearphishing (T1534): Targeting internal Linux users.
Linux Example:
Running ssh -i stolen_key admin@dbserver to access a database host, or exploiting an NFS share to mount a remote filesystem.
Defender Strategies:
Disable password-based SSH, enforce key rotation, and segment networks with iptables/FW. Monitor lateral traffic with NetFlow.
The current list of corresponding EDRmetry test definitions includes:
EDR-T6125 - Create a SOCKS proxy with ssh
EDR-T6258 - DarkFlare TCP over CDN Tunneling
EDR-T6186 - DNS Zone Transfer
EDR-T6350 - DNS Potentially Suspicious Requests
EDR-T6071 - Drop Malicious Files Remotely
EDR-T6057 - Execute Port Scanning
EDR-T6226 - Execute SSHD as a victim user
EDR-T6255 - FRP Fast Reverse Proxy
EDR-T6131 - Hijack SSH Client Session
EDR-T6192 - Ligolo-ng Reverse TCP/TLS Tunneling
EDR-T6323 - linWinPwn - Pentesting AD from Linux
EDR-T6016 - Network ping sweep
EDR-T6200 - Ngrok Tunneling
EDR-T6035 - Proxychains TOR connection
EDR-T6189 - Reverse SOCKS5 proxy
EDR-T6160 - Socks Proxy from Tomcat JSP
EDR-T6334 - SoaPy - Pentesting AD WS from Linux
EDR-T6033 - SSH Linux Tunneling
EDR-T6246 - SSHD Manipulation in sshd_config.d
EDR-T6266 - Tailscale Tunneling
EDR-T6074 - Visit malicious Threat Intel URL