T1570 Lateral Tool Transfer Mappings

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.

Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.(Citation: Unit42 LockerGoga 2019)

Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and ftp. In some cases, adversaries may be able to leverage Web Services such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-03 Access Enforcement Protects T1570 Lateral Tool Transfer
AC-04 Information Flow Enforcement Protects T1570 Lateral Tool Transfer
CA-07 Continuous Monitoring Protects T1570 Lateral Tool Transfer
CM-02 Baseline Configuration Protects T1570 Lateral Tool Transfer
CM-06 Configuration Settings Protects T1570 Lateral Tool Transfer
CM-07 Least Functionality Protects T1570 Lateral Tool Transfer
SC-07 Boundary Protection Protects T1570 Lateral Tool Transfer
SI-10 Information Input Validation Protects T1570 Lateral Tool Transfer
SI-15 Information Output Filtering Protects T1570 Lateral Tool Transfer
SI-03 Malicious Code Protection Protects T1570 Lateral Tool Transfer
SI-04 System Monitoring Protects T1570 Lateral Tool Transfer