Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with SMB/Windows Admin Shares or Remote Desktop Protocol. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1570 | Lateral Tool Transfer | |
| AC-4 | Information Flow Enforcement | Protects | T1570 | Lateral Tool Transfer | |
| CA-7 | Continuous Monitoring | Protects | T1570 | Lateral Tool Transfer | |
| CM-2 | Baseline Configuration | Protects | T1570 | Lateral Tool Transfer | |
| CM-6 | Configuration Settings | Protects | T1570 | Lateral Tool Transfer | |
| CM-7 | Least Functionality | Protects | T1570 | Lateral Tool Transfer | |
| SC-7 | Boundary Protection | Protects | T1570 | Lateral Tool Transfer | |
| SI-10 | Information Input Validation | Protects | T1570 | Lateral Tool Transfer | |
| SI-15 | Information Output Filtering | Protects | T1570 | Lateral Tool Transfer | |
| SI-3 | Malicious Code Protection | Protects | T1570 | Lateral Tool Transfer | |
| SI-4 | System Monitoring | Protects | T1570 | Lateral Tool Transfer |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.vector.Network propagation | Network propagation | related-to | T1570 | Lateral Tool Transfer |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1570 | Lateral Tool Transfer |
Comments
VPC security groups and network access control lists (NACLs) can be used to limit traffic between systems and enclaves to minimum necessary for example via a zero-trust strategy.
References
|