Living Off the Land — Lateral Movement Complete Reference
MITRE ATT&CK TA0008 · All techniques, APT intelligence, detection rules, telemetry & D3FEND countermeasures
LOLLATERAL is a single-file, offline-capable interactive reference for MITRE ATT&CK TA0008 Lateral Movement. It is inspired by LOLEXFIL, LOLBAS, and LOLC2, extending the "Living Off the Land" reference format to cover every lateral movement technique with:
- Red team simulation commands
- APT threat actor intelligence with DFIR report links
- Threat intelligence source mapping (GreyNoise, Shodan, VirusTotal, MISP, etc.)
- Detection rules from SigmaHQ, Elastic, Splunk, Microsoft Sentinel, MITRE CAR
- Telemetry source mapping (Event IDs, Sysmon, CloudTrail, auditd, EDR)
- Interactive D3FEND defensive technique diagrams per ATT&CK technique
No server, no dependencies, no internet required. Open index.html in any modern browser.
git clone https://github.com/lolmitre/lollateral.git
cd lollateral
open index.html # macOS
xdg-open index.html # Linux
start index.html # Windows| Category | Count |
|---|---|
| Lateral Movement Techniques | 38 unique techniques |
| ATT&CK (Sub-)Technique IDs | 49 mapped IDs |
| APT / Threat Actor Entries | 146 across all techniques |
| Detection Patterns | 220+ telemetry-merged patterns |
| SigmaHQ Detection Rules | 27 direct search links |
| Elastic Detection Rules | 34 direct search links |
| Splunk ESCU Analytics | 33 direct search links |
| Microsoft Sentinel KQL | 10 detection links |
| MITRE CAR Analytics | 9 analytics linked |
| D3FEND Countermeasure Maps | 49 techniques mapped |
| Threat Intelligence Sources | 37 MISP Galaxy + GreyNoise/Shodan/OTX |
T1021.001 RDP · T1021.002 SMB/Admin Shares · T1021.003 DCOM · T1021.004 SSH · T1021.005 VNC · T1021.006 WinRM · T1021.007 Cloud Services · T1021.008 Direct Cloud VM
T1550.001 App Access Token · T1550.002 Pass-the-Hash · T1550.003 Pass-the-Ticket · T1550.004 Web Session Cookie · T1134.001/002 Token Impersonation
T1558.001 Golden Ticket · T1558.002 Silver Ticket · T1558.003 Kerberoasting · T1558.004 AS-REP Roasting · T1550.002+overpass Overpass-the-Hash · Kerberos Delegation Abuse · Kerbrute
T1563.001 SSH Hijacking · T1563.002 RDP Session Hijacking
T1003.006 DCSync · Mimikatz · LAPS Abuse · ACL/ACE Abuse
PsExec · WMI Remote Exec · Remote Scheduled Tasks · Process Injection · dcomexec/smbexec
CrackMapExec · Impacket Suite · BloodHound/SharpHound · NTLM Relay/Responder · MSSQL Linked Servers · Cobalt Strike · Sliver/Havoc/Metasploit · Chisel/Ligolo Pivoting
T1210 Remote Service Exploitation · PrintNightmare (CVE-2021-1675) · Zerologon (CVE-2020-1472)
GPO Abuse · SCCM/Software Deployment Tools · Taint Shared Content
Internal Spearphishing · Lateral Tool Transfer · Removable Media
- Expand/collapse individual cards or all at once
- Search across technique names, IDs, APT group names, tools, platforms
- Filter by platform (Windows/Linux/macOS/Cloud/Cross-platform)
- Filter by category (Remote Services, Kerberos, LOLBin, etc.)
- Filter by APT group — dropdown with all 140+ threat actor entries
- Filter by origin nation — Russia, China, Iran, North Korea, Criminal, etc.
- Filter by target sector — Healthcare, Government, Financial, etc.
- Active filter chips displayed with one-click removal
Each card contains:
- Simulation Command — ready-to-run red team commands (tools: Mimikatz, Impacket, CrackMapExec, Rubeus, evil-winrm, etc.)
- Simulation References — Atomic Red Team link, MITRE ATT&CK page, D3FEND link
- IOC Artifacts — file paths, registry keys, event IDs, process names, network indicators
- APT / Threat Actor Intelligence — actor name, alias, origin nation, active period, target sectors, victim organizations, DFIR reports (CISA advisories, DOJ indictments, vendor reports)
- Threat Intelligence Sources — GreyNoise tags, Shodan queries, OTX pulses, MISP galaxy links, VirusTotal hunts, Microsoft TI
- Detection Rules — linked rules from SigmaHQ, Elastic, Splunk, Sentinel, MITRE CAR
- Telemetry + Detection Patterns — merged table: log source → event IDs → detection context → severity
- D3FEND Defensive Technique Map — interactive SVG diagram showing applicable D3FEND countermeasures for the technique's artifact type (UserAccount / NetworkTraffic / ProcessImage / KerberosTicket)
Four artifact-mapped interactive diagrams (expand per-card):
- UserAccount — credential/token abuse techniques (9 D3FEND techniques, 5 tactics)
- NetworkTraffic — network lateral movement (8 D3FEND techniques, 4 tactics)
- ProcessImage — LOLBin/process injection (7 D3FEND techniques, 4 tactics)
- KerberosTicket — Kerberos attacks (6 D3FEND techniques, 3 tactics)
Nodes are colour-coded by tactic (Eviction/Hardening/Detection/Restore/Policy), hover for descriptions, click to open D3FEND.
index.html ← Single self-contained file (266 KB)
│
├── CSS ← Dark theme, IBM Plex Sans + Fira Code fonts
│
└── JavaScript
├── const tools[] ← 38 technique objects (simulation, detections, IOCs)
├── const telData{} ← Telemetry source mappings per technique
├── const extData{} ← APT intel, TI sources, detection rule links
├── const aptExtra{} ← APT enrichment (timeline, victims, DFIR reports, countries)
├── const D3G ← D3FEND grid layout constants
├── const d3Diagrams{} ← 4 interactive defensive technique diagrams
├── const d3TechMap{} ← Technique → diagram type mapping
├── buildSections() ← Renders APT table, TI, rules, teldetect, D3FEND
├── buildD3fendDiagram()← Generates responsive SVG diagram
├── render() ← Main render with multi-filter logic
└── Filter engine ← APT/nation/sector multi-select dropdowns
Add an object to the tools array:
{
id: "T1234.001",
name: "My Technique",
category: "Remote Services", // see catBadgeMap for valid values
platform: "Windows",
desc: "Technique description.",
attck: ["T1234.001"],
signed: true,
refs: 5,
sim: `# simulation commands here`,
detections: [
{type: "EventLog", text: "Event 4624 ...", sev: "high"}
],
iocs: [
{type: "Port", val: "TCP 445"}
]
}Add to extData["T1234.001"]:
"T1234.001": {
apt: [
{
name: "APT28 (Fancy Bear)", alias: "G0007", nation: "Russia 🇷🇺",
sectors: "Government, Military",
campaigns: "Campaign description",
ref: "https://attack.mitre.org/groups/G0007/"
}
],
ti: [ {src: "GreyNoise", text: "Description", link: "https://..."} ],
rules: [ {src: "SigmaHQ", name: "Rule Name", link: "https://...", note: "Note"} ]
}Add to telData["T1234.001"]:
"T1234.001": [
{src: "Windows Security Log", ids: "4624, 4625", note: "Detection context"}
]| Source | Usage |
|---|---|
| MITRE ATT&CK | Technique definitions, APT group procedures |
| MITRE D3FEND | Defensive countermeasure mapping |
| MITRE CAR | Cyber Analytics Repository |
| SigmaHQ | Detection rule library |
| Elastic Detection Rules | SIEM detection content |
| Splunk Security Content | ESCU analytics |
| Azure Sentinel | KQL detection rules |
| MISP Galaxy | Threat intel sharing |
| GreyNoise | Internet-scale scanning intel |
| Atomic Red Team | Simulation references |
| CISA Advisories | APT DFIR reports and IOCs |
| Mandiant / CrowdStrike / Microsoft MSTIC | APT campaign reports |
- LOLEXFIL — Data exfiltration techniques reference
- LOLBAS — Living Off The Land Binaries
- LOLC2 — C2 frameworks reference
- GTFOBins — Unix binary exploitation
- MITRE ATT&CK Navigator — ATT&CK coverage mapping
This tool is intended for authorized security testing, red team operations, detection engineering, and defensive research only. All simulation commands and techniques documented here should only be used in environments where you have explicit written authorization. The authors assume no liability for misuse.
MIT License — see LICENSE for details.
Built with ❤️ for detection engineers, threat hunters, red teamers, and SOC analysts.