Common Information
| Type | Value |
|---|---|
| Value |
Remote File Copy - T1105 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol. Detection: Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Platforms: Linux, macOS, Windows Data Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring Permissions Required: User Requires Network: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-03-13 | 41 | CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign | ||
| Details | Website | 2024-03-13 | 37 | CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign | ||
| Details | Website | 2024-02-27 | 72 | Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities | ||
| Details | Website | 2024-02-27 | 73 | Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities | ||
| Details | Website | 2024-02-23 | 85 | SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress | ||
| Details | Website | 2024-02-13 | 38 | CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day | ||
| Details | Website | 2024-02-13 | 39 | CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day | ||
| Details | Website | 2024-01-29 | 115 | Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours | ||
| Details | Website | 2024-01-24 | 16 | Mexican Banks and Cryptocurrency Platforms Targeted With AllaKore RAT | ||
| Details | Website | 2024-01-04 | 63 | ATT&CK을 이용해 스스로 평가하기(APT3, Second Scenario) | ||
| Details | Website | 2024-01-01 | 26 | Curling for Data: A Dive into a Threat Actor's Malicious TTPs | Huntress | ||
| Details | Website | 2024-01-01 | 8 | Can’t Touch This: Data Exfiltration via Finger | Huntress | ||
| Details | Website | 2023-12-06 | 198 | Russia/Ukraine Update - December 2023 | ||
| Details | Website | 2023-11-30 | 27 | AeroBlade on the Hunt Targeting the U.S. Aerospace Industry | ||
| Details | Website | 2023-11-28 | 81 | Aki-RATs - Command and Control Party | ||
| Details | Website | 2023-11-19 | 117 | LitterDrifter: a new USB worm used by the Gamaredon group | ||
| Details | Website | 2023-11-17 | 80 | WinRAR CVE-2023-38831 Vulnerability: Malware Exploits & APT Attacks | ||
| Details | Website | 2023-11-16 | 2 | Identifying Quieter Attack Techniques | ||
| Details | Website | 2023-11-14 | 44 | Everything You Need to Know About Silent Skimming | ||
| Details | Website | 2023-11-13 | 78 | Don’t throw a hissy fit; defend against Medusa | ||
| Details | Website | 2023-11-06 | 203 | SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT - Blogs on Information Technology, Network & Cybersecurity | Seqrite | ||
| Details | Website | 2023-11-03 | 106 | Exploitation of CVE-2023-46604 Leading to Ransomware | ||
| Details | Website | 2023-11-01 | 44 | Elastic catches DPRK passing out KANDYKORN — Elastic Security Labs | ||
| Details | Website | 2023-10-24 | 36 | Dealing with MITRE ATT&CK®’s different levels of detail | ||
| Details | Website | 2023-10-23 | 273 | Red Team Tools |