Technique on mitre.org

T1570: Lateral Tool Transfer

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.

Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.

Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and ftp. In some cases, adversaries may be able to leverage Web Services such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

kaspersky: PT-CR-1837: Kaspersky_Install_Malicious_App: A suspicious application is installed from Kaspersky Security Center kaspersky: PT-CR-1836: Subrule_Kaspersky_Run_Task_Install_App: A task is run and an application is installed from Kaspersky Security Center kaspersky: PT-CR-1835: Subrule_Kaspersky_Create_Package_And_Task: An installation package and task are created in Kaspersky Security Center remote_work: PT-CR-1913: File_Copy_Via_RemoteAccess_Tool: A suspicious file was created using a remote access tool microsoft_mecm: PT-CR-1876: MECM_Distribute_Content: Transferring a package or application to a distribution point in MECM mitre_attck_execution: PT-CR-1093: Subrule_Payload_Download_Via_WebClient: The MSDT_Remote_Code_Execution rule subrule detected connection to a remote storage and downloading of a malicious file mitre_attck_execution: PT-CR-1090: MSDT_Remote_Code_Execution: Vulnerability CVE-2022-34713 has been exploited in the msdt.exe service, and a malicious file is downloaded from an attacker host mitre_attck_execution: PT-CR-602: Finger_AWL_Bypass: An attempt to bypass application-start restrictions by using finger.exe (a built-in Microsoft Windows utility that displays information about users on a specified remote computer that is running the finger service) mitre_attck_initial_access: PT-CR-2301: Suspicious_File_Creation_From_Messenger_Or_Mail: A file with a suspicious extension was created on behalf of an instant messenger or email program, or malicious file activity was detected. This may indicate a phishing attack or malware being delivered to user's computer. mitre_attck_collection: PT-CR-1932: Copying_Files: Copying files and folders using xcopy and robocopy utilities, copy command, Copy-Item cmdlet unix_mitre_attck_command_and_control: PT-CR-295: Unix_Droppers_By_Daemons: Running a utility to transfer files on behalf of a service account is detected mitre_attck_command_and_control: PT-CR-608: Download_File_Through_Curl: A utility is started to download files mitre_attck_command_and_control: PT-CR-219: Remote_File_Download_Via_Certutil: An attempt to load data from external resources using the built-in utility certutil. Certutil can be used to obtain information about a certificate authority and configure certificate services. mitre_attck_command_and_control: PT-CR-609: Download_File_Through_Windows_Defender: An attempt to download a file with Windows Defender is detected mitre_attck_command_and_control: PT-CR-845: Download_Via_Encoded_Powershell: A user downloaded payload via an encoded PowerShell command unix_mitre_attck_lateral_movement: PT-CR-1699: Unix_File_Download_Via_GTFOBINS: The file was created using a GTFOBins utility. GTFOBins is a Unix binaries that can be used to bypass local security restrictions in misconfigured systems. mitre_attck_cred_access: PT-CR-600: Esentutil_Copy_File: The "esentutil" utility is started mitre_attck_lateral_movement: PT-CR-225: Creation_Suspicious_File: Creation of a potentially malicious file is detected mitre_attck_lateral_movement: PT-CR-224: Remote_Copying_Malicious_File: An attempt was detected to copy a potentially malicious file with the following extensions: hta, ps1, py, vbe, cs, csproj, proj, com, cmd, bat, vbs, js, xsl, sct mitre_attck_lateral_movement: PT-CR-222: Downloading_Remote_File_Via_Lolbas: An attempt to upload files is detected mitre_attck_lateral_movement: PT-CR-1373: Remote_Creation_Suspicious_File: Remote creation of a potentially malicious file is detected mitre_attck_lateral_movement: PT-CR-1372: Remote_SSP_Dump: The use of a script from a modified Impacket toolkit is detected. This allows to remotely dump the lsass process memory. hacking_tools: PT-CR-761: Subrule_Duplex_Powershell_Connect: A two-way connection using powershell.exe is detected hacking_tools: PT-CR-584: Empire_Stager: A PS script with an Empire stager substring is run hacking_tools: PT-CR-755: Cobalt_Strike_Stager: Possible startup of a Cobalt Strike stager hacking_tools: PT-CR-351: Koadic_Bitsadmin_Stager: Possible use of the Koadic software with BITSAdmin is detected hacking_tools: PT-CR-750: Cobalt_Strike_Powershell_Payload_Delivery: A user downloaded a payload using an encoded PowerShell command hacking_tools: PT-CR-365: Koadic_WMIC_Stager: Possible use of the Koadic software via a WMI script is detected hacking_tools: PT-CR-353: Koadic_MSHTA_Stager: Possible use of Koadic software (Koadic framework is designed for post-exploitation in Windows family operating systems) that runs a payload on the attacked host using Microsoft Windows HTML Application was detected hacking_tools: PT-CR-361: Koadic_Rundll32_Stager: Possible use of the Koadic software with Rundll32 is detected hacking_tools: PT-CR-90: Windows_Hacktool_Copied_To_Share: Copying of a malicious utility to a shared network resource in the root directory. This may indicate that the attacker has moved horizontally to the host where access to the shared network resource is provided. hacking_tools: PT-CR-748: Cobalt_Strike_Payload_Delivery_Check: Multiple attempts to verify payload delivery using Cobalt Strike software hacking_tools: PT-CR-587: SilentTrinity_Stager: Possible execution of the SilentTrinity stager is detected hacking_tools: PT-CR-357: Koadic_REGSVR32_Stager: Possible use of the Koadic software with Regsvr32 is detected

Detection

ID	DS0023	Data source and component	Named Pipe: Named Pipe Metadata	Description	Monitor for contextual data about named pipes on the system.

ID	DS0033	Data source and component	Network Share: Network Share Access	Description	Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as SMB.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly constructed processes that assist in lateral tool transfers.

ID	DS0022	Data source and component	File: File Metadata	Description	Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments for actions for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files

ID	DS0022	Data source and component	File: File Creation	Description	Monitor newly constructed files to/from a lateral tool transfer

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor for unusual processes with internal network connections creating files on-system may be suspicious Note: Analytic Event Type is for Zeek but can also be implemented in other Network Analysis Frameworks by parsing & decoding captured SMB2 network traffic. From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints.

ID	Data source and component	Description
DS0023	Named Pipe: Named Pipe Metadata	Monitor for contextual data about named pipes on the system.
DS0033	Network Share: Network Share Access	Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as SMB.
DS0009	Process: Process Creation	Monitor newly constructed processes that assist in lateral tool transfers.
DS0022	File: File Metadata	Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.
DS0029	Network Traffic: Network Traffic Flow	Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.
DS0017	Command: Command Execution	Monitor executed commands and arguments for actions for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files
DS0022	File: File Creation	Monitor newly constructed files to/from a lateral tool transfer
DS0029	Network Traffic: Network Traffic Content	Monitor for unusual processes with internal network connections creating files on-system may be suspicious Note: Analytic Event Type is for Zeek but can also be implemented in other Network Analysis Frameworks by parsing & decoding captured SMB2 network traffic. From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints.

Mitigation

ID	M1037	Name	Filter Network Traffic	Description	Consider using the host firewall to restrict file sharing communications such as SMB.

ID	M1031	Name	Network Intrusion Prevention	Description	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions.

ID	Name	Description
M1037	Filter Network Traffic	Consider using the host firewall to restrict file sharing communications such as SMB.
M1031	Network Intrusion Prevention	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions.