Description
Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.
Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.(Citation: Unit42 LockerGoga 2019)
Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and ftp. In some cases, adversaries may be able to leverage Web Services such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)
Platforms
Mitigations (2)
Filter Network TrafficM1037
Consider using the host firewall to restrict file sharing communications such as SMB. (Citation: Microsoft Preventing SMB)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or t
Threat Groups (19)
| ID | Group | Context |
|---|---|---|
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has utilized legitimate software services such as PDQ Deploy to transfer malicious binaries and ... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has deployed tools after moving laterally using administrative accounts.(Citation: Cybereason Cobalt Ki... |
| G1007 | Aoqin Dragon | [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has spread malware in target networks by copying modules to folders masquerading as removable de... |
| G0051 | FIN10 | [FIN10](https://attack.mitre.org/groups/G0051) has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) retrieves follow-on payloads direct from adversary-owned infrastructure for deployment on compromi... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has copied web shells between servers in targeted environments.(Citation: Secureworks BRONZE SIL... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) transferred files laterally within victim networks through the [Impacket](https://attack.mitre.org... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used stolen credentials to copy tools into the <code>%TEMP%</code> directory of domain cont... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors can be used to transfer files to/from victim machines on the local network.(Citation: ESE... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) transfered tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154) and the AnyDesk r... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has copied tools between compromised hosts using SMB.(Citation: NCC Group Chimera January 2021) |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) has used [PsExec](https://attack.mitre.org/software/S0029) to move laterally between hosts in the tar... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has used the [Impacket](https://attack.mitre.org/software/S0357) toolset to move and remotely exec... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has copied tools within a compromised network using RDP.(Citation: DFIR Phosphorus November 2021) |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used a rapid succession of copy commands to install a file encryption executable across multi... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has utilzed Python scripts to transfer files between ESXi hosts and guest VMs.(Citation: Google Cloud... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used `move` to transfer files to a network share and has copied payloads--such as [Prestige... |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) downloaded some payloads for follow-on execution from legitimate filesharing services such as <code>uf... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) uses remote shares to move and remotely execute payloads during lateral movemement.(Citation: Rostovcev... |
Associated Software (27)
| ID | Name | Type | Context |
|---|---|---|---|
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has copied itself to remote systems using the `service.exe` filename.(Citation: Binary Defense Emote... |
| S1139 | INC Ransomware | Malware | [INC Ransomware](https://attack.mitre.org/software/S1139) can push its encryption executable to multiple endpoints within compromised infrastructure.... |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) can replicate itself across connected servers via `psexec`.(Citation: Microsoft BlackCat Jun 2022) |
| S1132 | IPsec Helper | Malware | [IPsec Helper](https://attack.mitre.org/software/S1132) can download additional payloads from command and control nodes and execute them.(Citation: Se... |
| S0457 | Netwalker | Malware | Operators deploying [Netwalker](https://attack.mitre.org/software/S0457) have used psexec to copy the [Netwalker](https://attack.mitre.org/software/S0... |
| S0190 | BITSAdmin | Tool | [BITSAdmin](https://attack.mitre.org/software/S0190) can be used to create [BITS Jobs](https://attack.mitre.org/techniques/T1197) to upload and/or dow... |
| S0095 | ftp | Tool | [ftp](https://attack.mitre.org/software/S0095) may be abused by adversaries to transfer tools or files between systems within a compromised environmen... |
| S0404 | esentutl | Tool | [esentutl](https://attack.mitre.org/software/S0404) can be used to copy files to/from a remote share.(Citation: LOLBAS Esentutl) |
| S0532 | Lucifer | Malware | [Lucifer](https://attack.mitre.org/software/S0532) can use [certutil](https://attack.mitre.org/software/S0160) for propagation on Windows hosts within... |
| S1180 | BlackByte Ransomware | Malware | [BlackByte Ransomware](https://attack.mitre.org/software/S1180) spreads itself laterally by writing the JavaScript launcher file to mapped shared fold... |
| S0361 | Expand | Tool | [Expand](https://attack.mitre.org/software/S0361) can be used to download or upload a file over a network share.(Citation: LOLBAS Expand) |
| S1229 | Havoc | Malware | [Havoc](https://attack.mitre.org/software/S1229) has the ability to copy files from one location to another.(Citation: Havoc Framework Documentation) |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) has used [PsExec](https://attack.mitre.org/software/S0029) to distribute a second encryptor, named en... |
| S9030 | SameCoin | Malware | [SameCoin](https://attack.mitre.org/software/S9030) can copy its wiper executable to remote machines within the same Active Directory.(Citation: Check... |
| S0365 | Olympic Destroyer | Malware | [Olympic Destroyer](https://attack.mitre.org/software/S0365) attempts to copy itself to remote machines on the network.(Citation: Talos Olympic Destro... |
| S0140 | Shamoon | Malware | [Shamoon](https://attack.mitre.org/software/S0140) attempts to copy itself to remote machines on the network.(Citation: Palo Alto Shamoon Nov 2016) |
| S0029 | PsExec | Tool | [PsExec](https://attack.mitre.org/software/S0029) can be used to download or upload a file over a network share.(Citation: PsExec Russinovich) |
| S0698 | HermeticWizard | Malware | [HermeticWizard](https://attack.mitre.org/software/S0698) can copy files to other machines on a compromised network.(Citation: ESET Hermetic Wizard Ma... |
| S0062 | DustySky | Malware | [DustySky](https://attack.mitre.org/software/S0062) searches for network drives and removable media and duplicates itself onto them.(Citation: DustySk... |
| S0357 | Impacket | Tool | [Impacket](https://attack.mitre.org/software/S0357) has used its `wmiexec` command, leveraging Windows Management Instrumentation, to remotely stage a... |
References
- David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.
- Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.
Frequently Asked Questions
What is T1570 (Lateral Tool Transfer)?
T1570 is a MITRE ATT&CK technique named 'Lateral Tool Transfer'. It belongs to the Lateral Movement tactic(s). Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/...
How can T1570 be detected?
Detection of T1570 (Lateral Tool Transfer) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1570?
There are 2 documented mitigations for T1570. Key mitigations include: Filter Network Traffic, Network Intrusion Prevention.
Which threat groups use T1570?
Known threat groups using T1570 include: Medusa Group, APT32, Aoqin Dragon, FIN10, Ember Bear, Volt Typhoon, Velvet Ant, Wizard Spider.