Common Information
| Type | Value |
|---|---|
| Value |
Remote File Copy - T1105 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol. Detection: Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Platforms: Linux, macOS, Windows Data Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring Permissions Required: User Requires Network: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-15 | 38 | Dark Web Profile: Cadet Blizzard | ||
| Details | Website | 2024-11-15 | 33 | DONOT's Attack On Maritime & Defense Manufacturing | ||
| Details | Website | 2024-11-14 | 72 | Weekly Intelligence Report - 15 Nov 2024 | #ransomware | #cybercrime | National Cyber Security Consulting | ||
| Details | Website | 2024-11-13 | 55 | HawkEye Malware: Technical Analysis | ||
| Details | Website | 2024-11-13 | 55 | HawkEye Malware: Technical Analysis - ANY.RUN's Cybersecurity Blog | ||
| Details | Website | 2024-11-13 | 55 | HawkEye | PredatorPain | ||
| Details | Website | 2024-11-09 | 19 | TRACKING RANSOMWARE : OCTOBER 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting | ||
| Details | Website | 2024-11-07 | 28 | Helldown Ransomware – A New Emerging Ransomware Threat | ||
| Details | Website | 2024-11-04 | 27 | Jumpy Pisces Threat Intel | ||
| Details | Website | 2024-11-03 | 35 | Threat Actor — Cl0P | ||
| Details | Website | 2024-11-03 | 54 | Coinminer - Malware Analysis | ||
| Details | Website | 2024-10-31 | 10 | UAC-0050 Phishing Attack Detection: The russia-Backed Group Massively Spreads Tax-Related Phishing Emails and Exploit LITEMANAGER - SOC Prime | ||
| Details | Website | 2024-10-30 | 154 | Крысиный король: как Android-троян CraxsRAT ворует данные пользователей | Блог F.A.C.C.T. | ||
| Details | Website | 2024-10-30 | 379 | 从目录浏览分析幽盾攻击组织-安全客 - 安全资讯平台 | ||
| Details | Website | 2024-10-30 | 28 | Attacker Abuses Victim Resources to Reap Rewards from Titan Network | ||
| Details | Website | 2024-10-29 | 19 | Ransomware: Kill Security | ||
| Details | Website | 2024-10-28 | 376 | Inside the Open Directory of the “You Dun” Threat Group | ||
| Details | Website | 2024-10-28 | 25 | Threat Intelligence Report October 22 - October 28 2024 | Red Piranha | ||
| Details | Website | 2024-10-25 | 58 | HeptaX: Unauthorized RDP Connections For Cyberespionage Operations | ||
| Details | Website | 2024-10-24 | 16 | Talos IR trends Q3 2024: Identity-based operations loom large | ||
| Details | Website | 2024-10-23 | 44 | Highlighting TA866/Asylum Ambuscade Activity Since 2021 | ||
| Details | Website | 2024-10-22 | 22 | Threat Intelligence Report October 15 - October 21 2024 | Red Piranha | ||
| Details | Website | 2024-10-22 | 13 | Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach | ||
| Details | Website | 2024-10-21 | 21 | Attackers Target Exposed Docker Remote API Servers With perfctl Malware | ||
| Details | Website | 2024-10-18 | 27 | Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A |