Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.
Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.(Citation: Unit42 LockerGoga 2019)
Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and ftp. In some cases, adversaries may be able to leverage Web Services such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1570 | Lateral Tool Transfer |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1570 | Lateral Tool Transfer |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may transfer tools, payloads, or other malware between systems in a compromised environment, such as between a VM and host system. Hypervisor hardening may help in monitoring and restricting unexpected network share access, such as files transferred between shares within a network using protocols such as SMB by virtualized technologies.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1570 | Lateral Tool Transfer |
Comments
This diagnostic statement protects against Lateral Tool Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1570 | Lateral Tool Transfer |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1570 | Lateral Tool Transfer |
Comments
This diagnostic statement protects against Lateral Tool Transfer through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1570 | Lateral Tool Transfer | |
| CM-06 | Configuration Settings | mitigates | T1570 | Lateral Tool Transfer | |
| SI-10 | Information Input Validation | mitigates | T1570 | Lateral Tool Transfer | |
| SI-15 | Information Output Filtering | mitigates | T1570 | Lateral Tool Transfer | |
| SI-03 | Malicious Code Protection | mitigates | T1570 | Lateral Tool Transfer | |
| CM-02 | Baseline Configuration | mitigates | T1570 | Lateral Tool Transfer | |
| CM-07 | Least Functionality | mitigates | T1570 | Lateral Tool Transfer | |
| SI-04 | System Monitoring | mitigates | T1570 | Lateral Tool Transfer | |
| AC-03 | Access Enforcement | mitigates | T1570 | Lateral Tool Transfer | |
| AC-04 | Information Flow Enforcement | mitigates | T1570 | Lateral Tool Transfer | |
| SC-07 | Boundary Protection | mitigates | T1570 | Lateral Tool Transfer |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.vector.Network propagation | Network propagation | related-to | T1570 | Lateral Tool Transfer |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1570 | Lateral Tool Transfer |
Comments
This control can be used to limit traffic between systems and enclaves to minimum necessary for example via a zero-trust strategy.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| vpc_service_controls | VPC Service Controls | technique_scores | T1570 | Lateral Tool Transfer |
Comments
VPC security perimeters can segment private resources to deny ingress and egress traffic based on organizational policies. Because this tool does not prevent attacks from valid accounts or compromised machines, it was scored as minimal.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1570 | Lateral Tool Transfer |
Comments
VPC security groups and network access control lists (NACLs) can be used to limit traffic between systems and enclaves to minimum necessary for example via a zero-trust strategy.
References
|