T1570: T1570
Essential information
- MITRE technique ID
T1570- Confidence
- 100/100
- Revoked
- No
- Published
- 11/03/2020 22:01
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Lateral Tool Transfer
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (53)
-
FIN10 relatedThe MITRE Corporation Confidence 100
[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims…
First seen 01/01/1970 · Last seen 16/11/5138 · -
FakeTicketer relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GOLD SALEM relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GhostEmperor relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Helldown relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lazarus relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LockBit relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lunar Spider relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Makop relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Medusa Group relatedThe MITRE Corporation Confidence 100
[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Nefilim relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (69)
-
RansomHub usesThe MITRE Corporation Confidence 100
[RansomHub](https://attack.mitre.org/software/S1212) is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Sliver usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SameCoin usesAlienVault Confidence 100
[SameCoin](https://attack.mitre.org/software/S9030) is a multi-platform wiper with Windows and Android versions that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) to target entities in the Middle East including in Israel.(Citation: Check Point…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ZingDoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CloudAtlas usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlackByte usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Makop usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
QuackBot usesThe MITRE Corporation Confidence 100
[QakBot](https://attack.mitre.org/software/S0650) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://attack.mitre.org/software/S0650) is continuously maintained and developed and has evolved from…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SystemBC usesAlienVault Confidence 100
[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Raccoon Stealer V2 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
INMemory web shell usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ThreatNeedle - S0665 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
8 MITREs
-
18 MITREs 1 Malware 1 APT
-
15 MITREs 2 Malwares 2 Observables 1 APT
-
Play Ransomware Engagement related17 MITREs 3 Malwares 1 APT
-
1 CVE 22 MITREs 2 Malwares 16 Observables
-
1 CVE 16 MITREs 1 Observable
-
8 MITREs 1 Malware 5 Observables 1 APT
-
Cuckoo Threat Actor Arsenal related14 MITREs 2 Malwares 9 Observables 1 APT
-
32 MITREs 6 Malwares 45 Observables
-
20 MITREs 3 Malwares 1 Observable 1 APT
-
2 CVEs 12 MITREs 3 Malwares 5 Observables 1 APT
-
8 MITREs 1 Malware 7 Observables
Vulnerabilities (CVE) (58)
Cisco NX-OS contains a command injection vulnerability in the command line interface (CLI) that could allow an authenticated, local attacker to execute …
- Attack vector
- Local
- Published
- 02/07/2024
- Modified
- 21/12/2025
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …
- Attack vector
- Network
- Published
- 20/07/2025
- Modified
- 21/12/2025
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up …
- Attack vector
- Network
- Published
- 11/02/2026
- Modified
- 08/05/2026
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and …
- Attack vector
- NETWORK
- Published
- 21/03/2025
- Modified
- 21/12/2025
Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 19/10/2017
- Modified
- 22/04/2026
Unspecified vulnerability allows for an authenticated user to escalate privileges.
- Published
- 17/11/2021
- Modified
- 21/12/2025
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report …
- Attack vector
- Network
- Published
- 13/06/2024
- Modified
- 21/12/2025
A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS …
- Published
- 09/12/2025
- Modified
- 17/12/2025
Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead …
- Attack vector
- Network
- Published
- 13/12/2024
- Modified
- 21/12/2025
Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Course Of Action (2)
-
Network Intrusion Prevention mitigates
-
Filter Network Traffic mitigates
Tool (5)
-
Impacket usesThe MITRE Corporation Confidence 100
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
-
ftp usesThe MITRE Corporation Confidence 100
[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a…
-
BITSAdmin usesThe MITRE Corporation Confidence 100
[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
cmd usesThe MITRE Corporation Confidence 100
[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd) Cmd.exe contains native functionality to…
Campaign (4)
-
Operation Wocao uses
-
C0015 uses
-
SharePoint ToolShell Exploitation uses
-
2015 Ukraine Electric Power Attack uses