Common Information
| Type | Value |
|---|---|
| Value |
Remote File Copy - T1105 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol. Detection: Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Platforms: Linux, macOS, Windows Data Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring Permissions Required: User Requires Network: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2019-08-04 | 34 | Back to square one: The Capital One breach proved we must rethink cloud security - Darktrace Blog | ||
| Details | Website | 2019-07-08 | 188 | Malicious campaign targets South Korean users with backdoor‑laced torrents | WeLiveSecurity | ||
| Details | Website | 2019-06-20 | 115 | LoudMiner: Cross‑platform mining in cracked VST software | WeLiveSecurity | ||
| Details | Website | 2019-04-30 | 281 | Buhtrap backdoor and Buran ransomware distributed via major advertising platform | WeLiveSecurity | ||
| Details | Website | 2019-04-29 | 57 | LockerGoga Ransomware Family Used in Targeted Attacks | McAfee Blog | ||
| Details | Website | 2019-04-22 | 48 | CB TAU Threat Intelligence Notification: HopLight Campaign (Linked to North Korea) is Reusing Substantial Amount of Code | ||
| Details | Website | 2019-01-13 | 65 | 101 Bash Commands and Tips for Beginners to Experts | ||
| Details | Website | 2019-01-01 | 17 | diantz | LOLBAS | ||
| Details | Website | 2018-12-18 | 63 | Sofacy Creates New ‘Go’ Variant of Zebrocy Tool |