Show in Graph
Common Information
Type Value
Value 
Remote File Copy - T1105
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol. Detection: Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Platforms: Linux, macOS, Windows Data Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring Permissions Required: User Requires Network: Yes
Details Published Attributes CTI Title
Details Website 2022-10-12 24 Anomali Cyber Watch: Emotet Added Two New Modules, LofyGang Distributed 200 Malicious Packages, Bumblebee Loader Expanded Its Reach, and More
Details Website 2022-10-07 36 CISA Alert AA22-277A - Impacket and CovalentStealer Used to Steal Sensitive Data
Details Website 2022-10-05 29 SafeBreach Coverage for US-CERT Alert (AA22-277A) – Use of Impacket and CovalentStealer to Steal Sensitive Data
Details Website 2022-10-04 34 Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization | CISA
Details Website 2022-09-29 73 Malware Persistence Within ESXi Hypervisors | Malicious VIBs
Details Website 2022-09-27 21 Anomali Cyber Watch: Sandworm Uses HTML Smuggling and Commodity RATs, BlackCat Ransomware Adds New Features, Domain Shadowing Is Rarely Detected, and More
Details Website 2022-09-26 39 Return of Pseudo Ransomware
Details Website 2022-09-15 76 PrivateLoader: the loader of the prevalent ruzki PPI service
Details Website 2022-09-13 78 ProxyShell exploitation leads to BlackByte ransomware - Red Canary
Details Website 2022-09-12 19 What is Crypto Malware and How to Defend Against Cryptojacking? - SOC Prime
Details Website 2022-09-08 74 Microsoft investigates Iranian attacks against the Albanian government - Microsoft Security Blog
Details Website 2022-09-08 48 Microsoft investigates Iranian attacks against the Albanian government | Microsoft Security Blog
Details Website 2022-08-31 156 Ryuk Ransomware: History, Timeline, and Adversary Simulation - FourCore
Details Website 2022-08-30 34 Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More
Details Website 2022-08-18 181 APT41 World Tour 2021 on a tight schedule
Details Website 2022-08-17 100 UNC3890 | Suspected Iranian Threat Actor Targets Israel
Details Website 2022-08-17 100 Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors | Mandiant
Details Website 2022-08-16 50 Anomali Cyber Watch: Ransomware Module Added to SOVA Android Trojan, Bitter APT Targets Mobile Phones with Dracarys, China-Sponsored TA428 Deploys Six Backdoors at Once, and More
Details Website 2022-08-08 143 BumbleBee Roasts Its Way to Domain Admin
Details Website 2022-08-02 57 Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More
Details Website 2022-07-26 60 Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers | Mandiant
Details Website 2022-07-20 120 Securonix Threat Labs Initial Coverage Advisory: STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea)
Details Website 2022-07-19 33 Anomali Cyber Watch: H0lyGh0st Ransomware Earns for North Korea, OT Unlocking Tools Drop Sality, Switch-Case-Oriented Programming for ChromeLoader, and More
Details Website 2022-07-05 67 Bitter APT continues to target Bangladesh | SECUINFRA Falcon Team
Details Website 2022-06-29 57 Raccoon Stealer v2 - Part 2: In-depth analysis