Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.
Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.(Citation: Unit42 LockerGoga 2019)
Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and ftp. In some cases, adversaries may be able to leverage Web Services such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1570 | Lateral Tool Transfer |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unusual data transfer over known tools and protocols can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1570 | Lateral Tool Transfer |
Comments
This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files.
References
|
| I&S-09 | Network Defense | mitigates | T1570 | Lateral Tool Transfer |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unusual data transfer over known tools and protocols can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate the transfer of tools or other files.
References
|