The adversary is trying to move through your environment.
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
| ID | Name | Description | |
| T2048 | Backend Remote Services | Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. | |
| T2052 | ECU Exploitation | Adversaries may exploit Electronic Control Units (ECUs) to perform lateral movement within a vehicle's network. ECUs are specialized embedded systems that control various functions within modern vehicles, such as engine management, airbags, and braking systems. By gaining access to one ECU, adversaries can potentially compromise the integrity of the vehicle's network and manipulate other connected ECUs.Adversaries may leveraging existing vulnerabilities in ECUs. For instance, an adversary might first compromise an infotainment system connected to the internet and then move laterally to more sensitive ECUs like those related to steering or braking. This technique may require specialized knowledge of the vehicle's network architecture and the communication protocols used, such as CAN bus, LIN, or FlexRay. | |
| T2051 | Exploitation of Backend Remote Services | Adversaries may exploit backend remote services to gain unauthorized access to backend service once inside of the vehicle. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. | |
| T2054 | Exploitation of Remote Services in In-Vehicle Network | Adversaries may exploit remote services in In-Vehicle network to gain unauthorized access to internal systems once inside of the vehicle. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. | |
| T2056 | Remote services in In-Vehicle Network | Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. | |