Lateral Movement
Details
| ID | PT0007 |
| MITRE ATT&CK ID | TA0008 |
| Created | 2026-06-22 |
| Last Modified | 2026-06-22 |
| Contributors | slashsec |
| Version Permalink | Link |
Description
The adversary is trying to move through the facility or campus.
Lateral Movement consists of techniques for crossing zones, floors, buildings, or air-gapped areas after initial entry. Examples include using internal doors, elevators, loading docks, and inter-building connectors while avoiding or defeating intermediate access controls.
Techniques
| ID | Name | Description |
|---|---|---|
| P0007 | Social Engineering | Adversaries may manipulate people to obtain access, information, or assistance at a target facility. This includes impersonation, authority appeals, urgency, and other influence tactics at entry points, reception areas, or during escorted movement. |
| P0007.001 | Exploit Business Process | Adversaries may exploit missing, ambiguous, or unenforced business processes to gain access or avoid scrutiny. Weak processes for visitor handling, deliveries, escorts, after-hours access, and contractor workflows can be abused through pretext, policy gaps, or inconsistent enforcement. |
| P0007.002 | Impersonate Staff or Vendor | Adversaries may present themselves as employees, contractors, or vendor personnel to appear legitimate during entry and movement. Impersonation pairs with dress, tools, and behavior expected for the claimed role. |
| P0007.003 | Pose as Visitor or Guest | Adversaries may act as visitors, interview candidates, guests, or event attendees to blend with normal foot traffic. Visitor pretexts often face lighter challenge at reception when appearance and behavior match expected patterns. |
| P0007.004 | Employ Pretext in Conversation | Adversaries may use a prepared cover story when interacting with staff, security, or reception during operations. Consistent pretext in conversation reinforces legitimacy and deflects casual questions about purpose or destination. |
| P0007.005 | Wear Cover Dress | Adversaries may wear clothing, uniforms, PPE, or accessories that match expected roles at the facility during live operations. Cover dress reduces scrutiny compared to out-of-place attire and supports blending with staff, vendors, or visitors. |
| P0007.006 | Employ Pretext via Phone Calls | Adversaries may use a prepared cover story during phone calls to staff, security, reception, or help desks to obtain information or assistance without physical presence at the facility. Phone pretexts can elicit facility details, access procedures, or identities useful for planning and later tactics. |
| P0007.007 | Employ Pretext via Email | Adversaries may use a prepared cover story in email to staff, contractors, or shared mailboxes to obtain information or assistance without physical presence at the facility. Email pretexts can request layouts, visitor procedures, or organizational details that support planning and later tactics. |
| P0009 | Bypass Physical Access Controls | Adversaries may circumvent physical access controls without exploiting a specific design flaw. Bypass methods defeat or avoid locks, doors, windows, and perimeter barriers through force, manipulation, or alternate paths. |
| P0009.001 | Bypass Window | Adversaries may bypass window-based physical barriers to enter a facility or controlled area. This includes breaking glass, defeating latches, removing panes, or using unsecured or operable windows as entry points. |
| P0009.002 | Bypass Door | Adversaries may bypass door-based access controls to enter restricted areas. This includes lock picking, shimming, forcing doors, removing hinge pins, or exploiting gaps in door hardware (for example, under-the-door tools). |
| P0009.003 | Bypass Perimeter Controls | Adversaries may bypass perimeter security controls such as fencing, gates, bollards, or vehicle barriers. Methods include cutting, climbing, lifting, wedging, or using unmanned access points along the facility boundary. |
| P0010 | Exploit Physical Access Weaknesses | Adversaries may take advantage of misconfigurations, poor maintenance, or unintended gaps in physical security. Exploitation targets weaknesses such as unsecured perimeter controls or openings left unrestricted. |
| P0010.001 | Exploit Perimeter Controls | Adversaries may exploit weaknesses in perimeter controls such as gaps in fencing, inoperative sensors, misaligned gates, or schedules that leave boundaries unmonitored. Exploitation uses the control failure rather than direct force against the barrier. |
| P0010.002 | Exploit Unrestricted Opening | Adversaries may exploit doors, windows, loading docks, or other openings left unlocked, propped open, or without required access controls. Unrestricted openings allow entry without defeating hardware or credentials. |
| P0010.003 | Exploit Request-to-Exit Sensor | Adversaries may exploit request-to-exit sensors that unlock doors from the secure side without credential validation. Triggering motion detectors, pressure mats, or push plates from outside the controlled area can unlock secured doors without valid credentials. |
| P0017 | Cross Security Zone | Adversaries may move between defined security zones within or across facilities after initial access. Zone crossings exploit gaps between perimeter and interior controls, inconsistent badge enforcement, or transition areas such as lobbies and mantraps. |
| P0017.001 | Cross Zone via Internal Door | Adversaries may pass through interior doors, turnstiles, or mantraps that separate security zones within the same building. This includes using valid credentials, tailgating, or exploiting doors held open during transitions between public and restricted areas. |
| P0017.002 | Cross Zone via Inter-Building Connector | Adversaries may move between buildings or structures using skybridges, underground tunnels, shared atria, or campus connectors. Inter-building paths can bypass perimeter controls applied at each building's main entry. |
| P0018 | Use Vertical Circulation | Adversaries may move between floors using stairs, elevators, or other vertical circulation paths. Floor-to-floor movement can bypass zone controls that are enforced only at building entry or on selected levels. |
| P0018.001 | Use Stairwell | Adversaries may use stairwells to change floors, including emergency stairs and tenant stairs that connect multiple levels. Stairwell doors may be propped, follow traffic, or accept credentials that differ from elevator floor selects. |
| P0018.002 | Use Elevator | Adversaries may use passenger or freight elevators to reach other floors, including riding with authorized personnel or using credentials, keys, or elevator codes scoped beyond their intended area. |
| P0018.003 | Use Exterior Access or Climbing | Adversaries may use exterior building features to reach other floors or secured areas without passing interior access controls. This includes exterior emergency stairways, fire escapes, and ledges, as well as climbing or rappelling to and from upper floors, roofs, or windows that are less monitored than main entries. |
| P0019 | Use Service Route | Adversaries may traverse back-of-house paths such as loading docks, utility corridors, mail rooms, and maintenance tunnels to reach areas not visible from public spaces. Service routes often have lighter monitoring or fewer credential checks than main entries. |
| P0038 | Manipulate Electronic Access Control | Adversaries may tamper with electronic access hardware such as card readers, PIN pads, and electronic locks, or related wiring and controllers, to bypass, spoof, capture credentials, or hold access in an open state. Manipulated controls can enable initial entry, credential theft, movement between zones, or covert re-entry without valid credentials while appearing operational. |
| P0038.001 | Implant Covert Capture Device | Adversaries may install concealed hardware inside or behind card readers and PIN pads to intercept credential data passed to access controllers. Implants may sit inline on reader wiring or within the enclosure, capturing badge reads and PIN entry for later use while leaving the device outwardly functional. |