Lateral Tool Transfer
Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.(Citation: Unit42 LockerGoga 2019) Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and ftp. In some cases, adversaries may be able to leverage Web Services such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)
Procedure Examples |
|
Name | Description |
---|---|
Emotet |
Emotet has copied itself to remote systems using the `service.exe` filename.(Citation: Binary Defense Emotes Wi-Fi Spreader) |
INC Ransomware |
INC Ransomware can push its encryption executable to multiple endpoints within compromised infrastructure.(Citation: Huntress INC Ransom Group August 2023) |
BlackCat |
BlackCat can replicate itself across connected servers via `psexec`.(Citation: Microsoft BlackCat Jun 2022) |
IPsec Helper |
IPsec Helper can download additional payloads from command and control nodes and execute them.(Citation: SentinelOne Agrius 2021) |
APT32 |
APT32 has deployed tools after moving laterally using administrative accounts.(Citation: Cybereason Cobalt Kitty 2017) |
Aoqin Dragon |
Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices.(Citation: SentinelOne Aoqin Dragon June 2022) |
Netwalker |
Operators deploying Netwalker have used psexec to copy the Netwalker payload across accessible systems.(Citation: Sophos Netwalker May 2020) |
BITSAdmin |
BITSAdmin can be used to create BITS Jobs to upload and/or download files from SMB file servers.(Citation: Microsoft About BITS) |
FIN10 |
FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.(Citation: FireEye FIN10 June 2017) |
ftp |
ftp may be abused by adversaries to transfer tools or files between systems within a compromised environment.(Citation: Microsoft FTP)(Citation: Linux FTP) |
esentutl |
esentutl can be used to copy files to/from a remote share.(Citation: LOLBAS Esentutl) |
Ember Bear |
Ember Bear retrieves follow-on payloads direct from adversary-owned infrastructure for deployment on compromised hosts.(Citation: Cadet Blizzard emerges as novel threat actor) |
Lucifer |
Lucifer can use certutil for propagation on Windows hosts within intranets.(Citation: Unit 42 Lucifer June 2020) |
Volt Typhoon |
Volt Typhoon has copied web shells between servers in targeted environments.(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
Wizard Spider |
Wizard Spider has used stolen credentials to copy tools into the |
Turla |
Turla RPC backdoors can be used to transfer files to/from victim machines on the local network.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019) |
During C0018, the threat actors transferred the SoftPerfect Network Scanner and other tools to machines in the network using AnyDesk and PDQ Deploy.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022) |
|
During the 2016 Ukraine Electric Power Attack, Sandworm Team used `move` to transfer files to a network share.(Citation: Dragos Crashoverride 2018) |
|
Expand |
Expand can be used to download or upload a file over a network share.(Citation: LOLBAS Expand) |
Chimera |
Chimera has copied tools between compromised hosts using SMB.(Citation: NCC Group Chimera January 2021) |
Olympic Destroyer |
Olympic Destroyer attempts to copy itself to remote machines on the network.(Citation: Talos Olympic Destroyer 2018) |
During Operation Wocao, threat actors used SMB to copy files to and from target systems.(Citation: FoxIT Wocao December 2019) |
|
During the 2022 Ukraine Electric Power Attack, Sandworm Team used a Group Policy Object (GPO) to copy CaddyWiper's executable `msserver.exe` from a staging server to a local hard drive before deployment.(Citation: Mandiant-Sandworm-Ukraine-2022) |
|
GALLIUM |
GALLIUM has used PsExec to move laterally between hosts in the target network.(Citation: Microsoft GALLIUM December 2019) |
Shamoon |
Shamoon attempts to copy itself to remote machines on the network.(Citation: Palo Alto Shamoon Nov 2016) |
Operation Wocao |
Operation Wocao has used SMB to copy files to and from target systems.(Citation: FoxIT Wocao December 2019) |
Magic Hound |
Magic Hound has copied tools within a compromised network using RDP.(Citation: DFIR Phosphorus November 2021) |
INC Ransom |
INC Ransom has used a rapid succession of copy commands to install a file encryption executable across multiple endpoints within compromised infrastructure.(Citation: Huntress INC Ransom Group August 2023)(Citation: Secureworks GOLD IONIC April 2024) |
PsExec |
PsExec can be used to download or upload a file over a network share.(Citation: PsExec Russinovich) |
HermeticWizard |
HermeticWizard can copy files to other machines on a compromised network.(Citation: ESET Hermetic Wizard March 2022) |
DustySky |
DustySky searches for network drives and removable media and duplicates itself onto them.(Citation: DustySky) |
During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.(Citation: CISA Iran Albanian Attacks September 2022) |
|
Sandworm Team |
Sandworm Team has used `move` to transfer files to a network share and has copied payloads--such as Prestige ransomware--to an Active Directory Domain Controller and distributed via the Default Domain Group Policy Object.(Citation: Dragos Crashoverride 2018)(Citation: Microsoft Prestige ransomware October 2022) Additionally, Sandworm Team has transferred an ISO file into the OT network to gain initial access.(Citation: Mandiant-Sandworm-Ukraine-2022) |
During the 2015 Ukraine Electric Power Attack, Sandworm Team moved their tools laterally within the corporate network and between the ICS and corporate network. (Citation: Booz Allen Hamilton) |
|
Kerrdown |
Kerrdown can download additional software including Cobalt Strike from servers on the victim's network.(Citation: Amnesty Intl. Ocean Lotus February 2021) |
OutSteel |
OutSteel can download the Saint Bot malware for follow-on execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Agrius |
Agrius downloaded some payloads for follow-on execution from legitimate filesharing services such as |
LockerGoga |
LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating.(Citation: Unit42 LockerGoga 2019) |
Stuxnet |
Stuxnet uses an RPC server that contains a file dropping routine and support for payload version updates for P2P communications within a victim network.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
During C0015, the threat actors used WMI to load Cobalt Strike onto additional hosts within a compromised network.(Citation: DFIR Conti Bazar Nov 2021) |
|
APT41 |
APT41 uses remote shares to move and remotely execute payloads during lateral movemement.(Citation: Rostovcev APT41 2021) |
cmd |
cmd can be used to copy files to/from a remotely connected internal system.(Citation: TechNet Copy) |
WannaCry |
WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit.(Citation: LogRhythm WannaCry) |
Mitigations |
|
Mitigation | Description |
---|---|
Filter Network Traffic |
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
Detection
Monitor for file creation and files transferred within a network using protocols such as SMB or FTP. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.
References
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
- Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.
- David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.
- Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
- Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
- Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
- Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
- Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
- Microsoft. (2019, July 12). About BITS. Retrieved March 16, 2020.
- FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
- N/A. (n.d.). ftp(1) - Linux man page. Retrieved February 25, 2022.
- Microsoft. (2021, July 21). ftp. Retrieved February 25, 2022.
- LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
- Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
- Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
- Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
- John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
- Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
- Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
- Microsoft. (2020, March 10). Preventing SMB traffic from lateral connections and entering or leaving the network. Retrieved June 1, 2020.
- Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
- LOLBAS. (n.d.). Expand.exe. Retrieved February 19, 2019.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
- MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
- Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.
- ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
- MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
- Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024.
- Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
- Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
Связанные риски
Риск | Связи | |
---|---|---|
Боковое перемещение злоумышленника по локальной сети
из-за
возможности передачи утилит и инструментов при боковом перемещении
в операционной системе
Конфиденциальность
Целостность
|
1
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.