T1570: Lateral Tool Transfer

Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with SMB/Windows Admin Shares or Remote Desktop Protocol. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Example

On this Demo will demonstrate how we can use tools to Lateral Move around the Network.

CMD

CMD can be used to copy tools to/from a remote share, this is true and very easy assuming we have the correct permissions to copy stuff onto the share.

Above we see a small demo on how we can move our tools laterally using SMB Shares with the correct credentials and permissions, this can be used to replace files and wait for our victim to execute them and gain a shell on the Workstation.

Once the payload is executed we can capture the Shell and gain access to another workstation.

PreviousRDP Hijacking NextT1534: Internal Spearphishing

Last updated 3 years ago