Skip to content

Expanding Control

Expanding Control consists of techniques adversaries use to broaden their reach beyond the initially compromised component—gaining credentials, discovering additional services, and moving laterally across application ecosystems. Attackers may harvest tokens, enumerate internal APIs and service dependencies, exploit trust between microservices, or hijack shared sessions. Expansion tactics enable compromise of multiple application tiers and increase the scope of potential impact.

Lateral Movement

Lateral Movement is a critical phase in advanced cyber attacks where adversaries, having gained initial access, seek to expand their foothold within a network. This tactic involves a range of sophisticated techniques aimed at navigating between different systems, escalating privileges, and accessing high-value targets. Attackers often leverage legitimate administrative tools, exploit remote access protocols, or utilize stolen credentials to move stealthily across the network. Common methods include Remote Desktop Protocol (RDP) abuse, exploitation of Windows Management Instrumentation (WMI), and the use of pass-the-hash techniques. The ultimate goal is to locate and exfiltrate sensitive data, establish persistence, or pivot to more critical systems within the organization's infrastructure. Effective lateral movement often relies on a deep understanding of network topology and security controls, making it a challenging tactic to defend against.

Credential Access

Credential Access encompasses techniques used by malicious actors to obtain, manipulate, or forge authentication credentials, such as usernames, passwords, and access tokens. Attackers exploit these methods to gain unauthorized entry, elevate privileges, or maintain persistence within target systems while evading detection. Common tactics include password spraying, credential dumping from memory, and intercepting network traffic to capture login information. By leveraging stolen or forged credentials, attackers can often bypass traditional security measures and operate under the guise of legitimate users, making their activities more challenging to detect and mitigate.

Discovery

Discovery encompasses the methodologies and techniques adversaries employ to gather intelligence about the target system and internal network infrastructure post-exploitation. Attackers leverage discovery tactics to orient themselves within the compromised environment, enumerate valuable assets, and identify potential pathways for lateral movement or privilege escalation. This phase often involves probing for information about system configurations, network topology, user accounts, and installed software. By meticulously mapping the target environment, attackers can make informed decisions about subsequent attack vectors, minimizing detection risk while maximizing the impact of their malicious activities.