Esc
Lateral Tool Transfer - T1570
(ATT&CK® Technique)
Definition
Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1570["Lateral Tool Transfer"] --> |produces| IntranetFileTransferTraffic["Intranet File Transfer Traffic"]; class T1570 OffensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode; click IntranetFileTransferTraffic href "/dao/artifact/d3f:IntranetFileTransferTraffic";
click T1570 href "/offensive-technique/attack/T1570/"; click IntranetFileTransferTraffic href "/dao/artifact/d3f:IntranetFileTransferTraffic"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetFileTransferTraffic["Intranet File Transfer Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1570["Lateral Tool Transfer"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetFileTransferTraffic["Intranet File Transfer Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| may-detect | T1570["Lateral Tool Transfer"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; FileCarving["File Carving"] -->
| analyzes | IntranetFileTransferTraffic["Intranet File Transfer Traffic"];
FileCarving["File Carving"] -.->
| may-detect | T1570["Lateral Tool Transfer"] ;
class FileCarving DefensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode;
click FileCarving href "/technique/d3f:FileCarving"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetFileTransferTraffic["Intranet File Transfer Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1570["Lateral Tool Transfer"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetFileTransferTraffic["Intranet File Transfer Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1570["Lateral Tool Transfer"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetFileTransferTraffic["Intranet File Transfer Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1570["Lateral Tool Transfer"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetFileTransferTraffic["Intranet File Transfer Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1570["Lateral Tool Transfer"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetFileTransferTraffic["Intranet File Transfer Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1570["Lateral Tool Transfer"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetFileTransferTraffic["Intranet File Transfer Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1570["Lateral Tool Transfer"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetFileTransferTraffic["Intranet File Transfer Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1570["Lateral Tool Transfer"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetFileTransferTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";