T1570: T1570

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/03/2020 22:01 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1570
Confidence: 100/100
Revoked: No
Published: 11/03/2020 22:01
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Lateral Tool Transfer

Platforms

windows macos linux ESXi

Description

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019) Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)

Kill chain phases

Kill chain	Phase
mitre-attack	lateral-movement

Marking (TLP)

External references

mitre-attack (T1570)
Dropbox Malware Sync
Unit42 LockerGoga 2019

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (53)

Beast related

Ransomware.Live Confidence 100

Beast is a Ransomware-as-a-service (RaaS) product which provides functionality such as SMB scanning, file encryption, service and process starting and stopping, and geographic identification to avoid encryption in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Black Basta, Cactus related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByte related Hecamede

The MITRE Corporation Confidence 100

[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BondNet related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL0P related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chimera related

The MITRE Corporation Confidence 100

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chinese-nexus threat actor related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cicada3301 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cinnamon Tempest related DEV-0401Emperor Dragonfly

The MITRE Corporation Confidence 100

[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CrazyHunter related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Domain related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
EXOTIC LILY related

The MITRE Corporation Confidence 100

[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

25–36 of 53

RansomHub uses

Family
Sliver uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SameCoin uses

Family
ZingDoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CloudAtlas uses

Family
BlackByte uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Makop uses

Family
QuackBot uses

Family
SystemBC uses

AlienVault Confidence 100

[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Raccoon Stealer V2 uses

Family
INMemory web shell uses

Family
ThreatNeedle - S0665 uses

Family

← Previous

Page / 6

1–12 of 69

From external espionage to domestic targeting related

1 CVE 16 MITREs 5 Malwares 16 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Latest PyPi Compromise related

AlienVault Confidence 100 20 MITREs 3 Malwares 9 IOCs 9 Observables 1 APT
PCPJack | Cloud Worm Evicts TeamPCP and Steals … related

AlienVault Confidence 100 5 CVEs 24 MITREs 2 Malwares 4 IOCs 4 Observables
UAT-8302 and its box full of malware related

3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT
Inside Vect Ransomware-as-a-Service related

19 MITREs 2 Malwares 2 Observables 1 APT
fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software … related

AlienVault Confidence 100 20 MITREs 3 Malwares 15 IOCs 15 Observables
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
Using KATA and KEDR to detect the AdaptixC2 … related

20 MITREs 8 Malwares
Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government … related

AlienVault Confidence 100 11 MITREs 1 Malware 1 APT
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran related

AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (58)

CVE-2025-49704 KEV targets

8.8 High

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2021-41379 KEV targets

Microsoft Windows Installer contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/03/2022
Modified: 21/12/2025

CVE-2024-38196 targets

7.8 High

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Attack vector: LOCAL
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2019-1388 KEV targets

Microsoft Windows Certificate Dialog contains a privilege escalation vulnerability, allowing attackers to run processes in an elevated context.

Published: 07/04/2023
Modified: 21/12/2025

CVE-2024-1800 targets

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2024-51324 targets

3.8 Low

An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your …

Attack vector: NETWORK
Published: 11/02/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-23897 KEV targets

9.8 Critical

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead …

Attack vector: Network
Published: 19/08/2024
Modified: 21/12/2025

CVE-2025-61932 KEV targets

9.3 Critical

Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to …

Published: 22/10/2025
Modified: 21/12/2025

Received

CVE-2016-0099 KEV targets

7.8 High

A privilege escalation vulnerability exists in Microsoft Windows if the Windows Secondary Logon Service fails to properly manage request handles in memory. …

Attack vector: LOCAL
Complexity: LOW
Published: 09/03/2016
Modified: 22/04/2026

CWE-120

CVE-2022-30190 KEV targets

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published: 14/06/2022
Modified: 27/05/2026

CVE-2025-59719 targets

9.8 Critical

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an …

Published: 09/12/2025
Modified: 09/12/2025

Analyzed

← Previous

Page / 5

1–12 of 58

Network Intrusion Prevention mitigates
Filter Network Traffic mitigates

Tool (5)

Impacket uses

The MITRE Corporation Confidence 100

[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
ftp uses

The MITRE Corporation Confidence 100

[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a…
BITSAdmin uses

The MITRE Corporation Confidence 100

[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)
PsExec uses

The MITRE Corporation Confidence 100

[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
cmd uses

The MITRE Corporation Confidence 100

[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd) Cmd.exe contains native functionality to…

Campaign (4)

Operation Wocao uses
C0015 uses
SharePoint ToolShell Exploitation uses
2015 Ukraine Electric Power Attack uses

Contact About Legal notice Privacy policy Terms of use

T1570: T1570

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (53)

Malware (69)

Reports (50)

Vulnerabilities (CVE) (58)

Course Of Action (2)

Tool (5)

Campaign (4)