EXPLORE
Sign In
← Back to Explore
T1570

Lateral Tool Transfer

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Ad...

ESXiLinuxmacOSWindows
22
Detections
2
Sources
19
Threat Actors

BY SOURCE

16elastic6sigma

PROCEDURES (16)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Anomal2 detections

Auto-extracted: 2 detections for anomal

Service2 detections

Auto-extracted: 2 detections for service

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Service1 detections

Auto-extracted: 1 detections for service

Remote1 detections

Auto-extracted: 1 detections for remote

Unusual1 detections

Auto-extracted: 1 detections for unusual

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Lateral1 detections

Auto-extracted: 1 detections for lateral

Lateral1 detections

Auto-extracted: 1 detections for lateral

Remote1 detections

Auto-extracted: 1 detections for remote

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

THREAT ACTORS (19)

AgriusAoqin DragonAPT32APT41BlackByteChimeraEmber BearFIN10GALLIUMINC RansomMagic HoundMedusa GroupSandworm TeamStorm-1811TurlaUNC3886Velvet AntVolt TyphoonWizard Spider

DETECTIONS (22)

Execution via TSClient Mountpoint
elastichigh
Lateral Movement via Startup Folder
elastichigh
Metasploit Or Impacket Service Installation Via SMB PsExec
sigmahigh
Potential Lateral Tool Transfer via SMB Share
elasticmedium
Potential Ransomware Behavior - Note Files by System
elasticmedium
Potentially Suspicious File Creation by OpenEDR's ITSMService
sigmamedium
PsExec Network Connection
elasticlow
PSEXEC Remote Execution File Artefact
sigmahigh
Remote Execution via File Shares
elasticmedium
Remote File Copy to a Hidden Share
elasticmedium
Remote File Creation in World Writeable Directory
elasticmedium
Rundll32 Execution Without Parameters
sigmahigh
Scheduled Task Execution at Scale via GPO
elasticmedium
SMB over QUIC Via Net.EXE
sigmamedium
SMB over QUIC Via PowerShell Script
sigmamedium
Spike in Remote File Transfers
elasticlow
Suspicious Execution from a WebDav Share
elastichigh
Unusual Remote File Creation
elasticlow
Unusual Remote File Directory
elasticlow
Unusual Remote File Extension
elasticlow
Unusual Remote File Size
elasticlow
Web Server Spawned via Python
elasticmedium