T1570: T1570
Essential information
- MITRE technique ID
T1570- Confidence
- 100/100
- Revoked
- No
- Published
- 11/03/2020 22:01
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Lateral Tool Transfer
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (53)
-
Beast relatedRansomware.Live Confidence 100
Beast is a Ransomware-as-a-service (RaaS) product which provides functionality such as SMB scanning, file encryption, service and process starting and stopping, and geographic identification to avoid encryption in…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Black Basta, Cactus relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BondNet relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL0P relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Chimera relatedThe MITRE Corporation Confidence 100
[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Chinese-nexus threat actor relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cicada3301 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CrazyHunter relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Domain relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EXOTIC LILY relatedThe MITRE Corporation Confidence 100
[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (69)
-
Nokoyawa uses
-
Datto RMM usesFamily
-
Zagrebator.RAT usesFamily
-
Ntospy uses
-
Cuba uses
-
Brute Ratel C4 usesFamily
-
IcedID usesFamily
-
Interlock usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Brute Ratel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Irafau usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Fidel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ScreenConnect usesFamily
Reports (50)
-
1 CVE 16 MITREs 5 Malwares 16 Observables 1 APT
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
Latest PyPi Compromise relatedAlienVault Confidence 100 20 MITREs 3 Malwares 9 IOCs 9 Observables 1 APT
-
AlienVault Confidence 100 5 CVEs 24 MITREs 2 Malwares 4 IOCs 4 Observables
-
3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT
-
19 MITREs 2 Malwares 2 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 3 Malwares 15 IOCs 15 Observables
-
46 MITREs 6 Malwares 27 Observables 1 APT
-
20 MITREs 8 Malwares
-
AlienVault Confidence 100 11 MITREs 1 Malware 1 APT
-
AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables 1 APT
Vulnerabilities (CVE) (58)
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by …
- Attack vector
- NETWORK
- Published
- 07/08/2024
- Modified
- 21/12/2025
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This …
- Attack vector
- Network
- Published
- 07/02/2025
- Modified
- 21/12/2025
Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.
- Attack vector
- Local
- Complexity
- Low
- Published
- 15/11/2017
- Modified
- 29/05/2026
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 15/03/2023
- Modified
- 21/12/2025
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …
- Attack vector
- Network
- Published
- 22/07/2025
- Modified
- 21/12/2025
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An …
- Published
- 10/02/2022
- Modified
- 20/12/2025
A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series …
- Attack vector
- NETWORK
- Published
- 03/09/2024
- Modified
- 21/12/2025
Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …
- Published
- 03/11/2021
- Modified
- 29/05/2026
Microsoft Windows Common Log File System (CLFS) Driver contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 13/04/2022
- Modified
- 27/05/2026
Course Of Action (2)
-
Network Intrusion Prevention mitigates
-
Filter Network Traffic mitigates
Tool (5)
-
Impacket usesThe MITRE Corporation Confidence 100
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
-
ftp usesThe MITRE Corporation Confidence 100
[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a…
-
BITSAdmin usesThe MITRE Corporation Confidence 100
[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
cmd usesThe MITRE Corporation Confidence 100
[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd) Cmd.exe contains native functionality to…
Campaign (4)
-
Operation Wocao uses
-
C0015 uses
-
SharePoint ToolShell Exploitation uses
-
2015 Ukraine Electric Power Attack uses