T1570

Lateral Tool Transfer

Adversaries may transfer tools or other files between systems in a compromised environment. Once initial access is established, tools are staged across multiple hosts to support lateral movement, ransomware deployment, data exfiltration, or persistence. Transfer mechanisms include SMB via Windows Admin Shares (\\host\ADMIN$, \\host\C$), RDP file sharing, and native utilities such as scp, rsync, sftp, ftp, and curl. Living-Off-The-Land Binaries (LOLBins) including certutil, bitsadmin, esentutl, and robocopy are frequently abused to perform transfers while blending with legitimate activity. PsExec is widely used to copy and remotely execute binaries on target hosts. Real-world threat actors including BlackCat ransomware (psexec-based propagation), Netwalker (psexec), INC Ransomware (push to multiple endpoints), Medusa Group (PDQ Deploy for binary distribution), Emotet (network self-replication via service.exe), and Volt Typhoon (web shell replication across servers) have leveraged these techniques to propagate tools during intrusions.

Microsoft Sentinel / Defender

kusto

let ExecutableExtensions = dynamic([".exe", ".dll", ".ps1", ".bat", ".cmd", ".vbs", ".hta", ".js", ".msi", ".scr", ".cpl"]);
let LOLBins = dynamic(["certutil.exe", "bitsadmin.exe", "esentutl.exe", "robocopy.exe", "expand.exe", "makecab.exe"]);
let TransferTools = dynamic(["psexec.exe", "psexec64.exe", "paexec.exe", "scp.exe", "sftp.exe", "ftp.exe", "winscp.exe"]);
let SensitiveDirs = dynamic(["\\Windows\\Temp\\", "\\Windows\\System32\\", "\\Windows\\SysWOW64\\", "\\ProgramData\\", "\\Users\\Public\\"]);
// Branch A: LOLBins executing lateral file transfers
let LOLBinTransfers = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (LOLBins)
| where ProcessCommandLine has @"\\\\"
    or (FileName =~ "certutil.exe" and ProcessCommandLine has_any ("urlcache", "-f", "-split"))
    or (FileName =~ "bitsadmin.exe" and ProcessCommandLine has_any ("/transfer", "/addfile", "/upload"))
    or (FileName =~ "esentutl.exe" and ProcessCommandLine has_any ("/cp", "/y"))
    or (FileName =~ "robocopy.exe" and ProcessCommandLine matches regex @"\\\\[A-Za-z0-9\-\.]+\\")
| extend IsCertutil = FileName =~ "certutil.exe"
| extend IsBitsadmin = FileName =~ "bitsadmin.exe"
| extend IsEsentutl = FileName =~ "esentutl.exe"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsCertutil, IsBitsadmin, IsEsentutl, DetectionBranch="LOLBin_Transfer";
// Branch B: Transfer tools referencing internal hosts or UNC paths
let ToolTransfers = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (TransferTools)
| where ProcessCommandLine has @"\\\\"
    or ProcessCommandLine matches regex @"(?:^|[\s\t@:])(?:10\.|172\.(?:1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch="Transfer_Tool";
// Branch C: Executables dropped via SMB (System process writing executables to sensitive directories)
let SMBExecutableDrops = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName has_any (ExecutableExtensions)
| where FolderPath has_any (SensitiveDirs)
| where InitiatingProcessFileName =~ "System"
| project Timestamp, DeviceName,
         AccountName=InitiatingProcessAccountName,
         FileName, FolderPath, SHA256,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch="SMB_Executable_Drop";
// Union all branches
LOLBinTransfers
| union ToolTransfers
| union SMBExecutableDrops
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Creation Network Share: Network Share Access Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

SCCM/Microsoft Endpoint Configuration Manager pushes software to endpoints via SMB, causing the System process to create executables in ProgramData and Windows directories — generates Branch C alerts
IT automation tools (Ansible WinRM, Chef, Puppet, PDQ Deploy) legitimately use robocopy, bitsadmin, and psexec for software distribution across managed hosts
Backup agents (Veeam, Acronis, Commvault) use certutil and bitsadmin for scheduled transfer tasks, and robocopy for file replication jobs
Developer workflows using scp or sftp to deploy artifacts to internal build/staging servers from workstations
Security and vulnerability scanning tools that copy lightweight agents to remote hosts for assessment purposes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11)
| eval IsCertutil=if(EventCode=1 AND match(lower(Image), "\\certutil\.exe$") AND (match(CommandLine, "(?i)(urlcache|/transfer|/cp)") OR match(CommandLine, "\\\\\\\\")), 1, 0)
| eval IsBitsadmin=if(EventCode=1 AND match(lower(Image), "\\bitsadmin\.exe$") AND match(lower(CommandLine), "(/transfer|/addfile|/upload)"), 1, 0)
| eval IsEsentutl=if(EventCode=1 AND match(lower(Image), "\\esentutl\.exe$") AND match(lower(CommandLine), "(/cp|/y)") AND match(CommandLine, "\\\\\\\\"), 1, 0)
| eval IsRobocopy=if(EventCode=1 AND match(lower(Image), "\\robocopy\.exe$") AND match(CommandLine, "\\\\\\\\"), 1, 0)
| eval IsPsExec=if(EventCode=1 AND match(lower(Image), "\\(psexec|psexec64|paexec)\.exe$") AND (match(CommandLine, "\\\\\\\\") OR match(CommandLine, "(?:10\\.|172\\.1[6-9]\\.|172\\.2[0-9]\\.|172\\.3[01]\\.|192\\.168\\.)")), 1, 0)
| eval IsScpSftp=if(EventCode=1 AND match(lower(Image), "\\(scp|sftp|winscp|ftp)\.exe$") AND (match(CommandLine, "\\\\\\\\") OR match(CommandLine, "(?:10\\.|172\\.1[6-9]\\.|172\\.2[0-9]\\.|172\\.3[01]\\.|192\\.168\\.)")), 1, 0)
| eval IsSMBDrop=if(EventCode=11 AND match(lower(TargetFilename), "\.(exe|dll|ps1|bat|cmd|vbs|hta|msi|scr)$") AND match(TargetFilename, "(?i)\\(Windows\\Temp|Windows\\System32|Windows\\SysWOW64|ProgramData|Users\\Public)\\") AND (Image="System" OR match(Image, "\\\\System$")), 1, 0)
| where IsCertutil=1 OR IsBitsadmin=1 OR IsEsentutl=1 OR IsRobocopy=1 OR IsPsExec=1 OR IsScpSftp=1 OR IsSMBDrop=1
| eval DetectionMethod=case(IsSMBDrop=1, "SMB_Executable_Drop", IsCertutil=1, "Certutil_Transfer", IsBitsadmin=1, "BITSAdmin_Transfer", IsEsentutl=1, "Esentutl_Transfer", IsRobocopy=1, "Robocopy_Transfer", IsPsExec=1, "PsExec_Copy", IsScpSftp=1, "SCP_SFTP_Transfer", true(), "Unknown")
| eval TargetFile=coalesce(TargetFilename, Image)
| eval CmdLine=coalesce(CommandLine, "N/A")
| table _time, host, User, Image, CmdLine, TargetFile, DetectionMethod, ParentImage, ParentCommandLine
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

SCCM/Microsoft Endpoint Configuration Manager pushes software to endpoints via SMB, causing the System process to create executables in ProgramData and Windows directories
IT automation tools (Ansible WinRM, Chef, Puppet, PDQ Deploy) legitimately use robocopy, bitsadmin, and psexec for software distribution across managed hosts
Backup agents (Veeam, Acronis, Commvault) use certutil and bitsadmin for scheduled transfer tasks and robocopy for file replication
Developer workflows using scp or sftp to deploy build artifacts to internal staging or build servers
Security tools (Tenable, Qualys, CrowdStrike) that copy assessment agents to remote hosts during scanning operations

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where (
    /* Branch A: LOLBin lateral transfers */
    (
      event.category == "process" and event.type == "start" and
      process.name in~ ("certutil.exe", "bitsadmin.exe", "esentutl.exe", "robocopy.exe", "expand.exe", "makecab.exe") and
      (
        process.command_line like~ "*\\\\*" or
        (process.name == "certutil.exe" and (process.command_line like~ "*urlcache*" or process.command_line like~ "*-f*" or process.command_line like~ "*-split*")) or
        (process.name == "bitsadmin.exe" and (process.command_line like~ "*/transfer*" or process.command_line like~ "*/addfile*" or process.command_line like~ "*/upload*")) or
        (process.name == "esentutl.exe" and (process.command_line like~ "*/cp*" or process.command_line like~ "*/y*")) or
        (process.name == "robocopy.exe" and process.command_line like~ "*\\\\*")
      )
    ) or
    /* Branch B: Transfer tools referencing internal hosts */
    (
      event.category == "process" and event.type == "start" and
      process.name in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "scp.exe", "sftp.exe", "ftp.exe", "winscp.exe") and
      (
        process.command_line like~ "*\\\\*" or
        process.command_line : ("*10.*", "*172.1[6-9].*", "*172.2*", "*172.3[01].*", "*192.168.*")
      )
    ) or
    /* Branch C: Executables dropped via SMB by System process */
    (
      event.category == "file" and event.type == "creation" and
      process.name == "System" and
      file.extension in~ ("exe", "dll", "ps1", "bat", "cmd", "vbs", "hta", "js", "msi", "scr", "cpl") and
      file.path like~ ("*\\Windows\\Temp\\*", "*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*")
    )
  )
]

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-system.security-*

False Positives

System administrators using robocopy or psexec for legitimate software deployment to remote hosts via UNC paths
Backup and file sync agents (e.g., Veeam, Acronis) running as SYSTEM and writing executables to ProgramData or Temp directories
IT automation tools (SCCM, PDQ Deploy, Ansible) using certutil or bitsadmin for software distribution across endpoints
Security scanning products using psexec or similar tools for remote assessment tasks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Computer" AS hostname,
  QIDNAME(qid) AS event_name,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "TargetFilename" AS target_file,
  CASE
    WHEN LOWER("Image") LIKE '%\certutil.exe' AND ("CommandLine" LIKE '%urlcache%' OR "CommandLine" LIKE '%/transfer%' OR "CommandLine" LIKE '%-f%') THEN 'Certutil_Transfer'
    WHEN LOWER("Image") LIKE '%\bitsadmin.exe' AND (LOWER("CommandLine") LIKE '%/transfer%' OR LOWER("CommandLine") LIKE '%/addfile%' OR LOWER("CommandLine") LIKE '%/upload%') THEN 'BITSAdmin_Transfer'
    WHEN LOWER("Image") LIKE '%\esentutl.exe' AND (LOWER("CommandLine") LIKE '%/cp%' OR LOWER("CommandLine") LIKE '%/y%') AND "CommandLine" LIKE '%\\\\%' THEN 'Esentutl_Transfer'
    WHEN LOWER("Image") LIKE '%\robocopy.exe' AND "CommandLine" LIKE '%\\\\%' THEN 'Robocopy_Transfer'
    WHEN (LOWER("Image") LIKE '%\psexec.exe' OR LOWER("Image") LIKE '%\psexec64.exe' OR LOWER("Image") LIKE '%\paexec.exe') AND ("CommandLine" LIKE '%\\\\%' OR "CommandLine" LIKE '%10.%' OR "CommandLine" LIKE '%192.168.%' OR "CommandLine" LIKE '%172.%') THEN 'PsExec_Copy'
    WHEN (LOWER("Image") LIKE '%\scp.exe' OR LOWER("Image") LIKE '%\sftp.exe' OR LOWER("Image") LIKE '%\winscp.exe' OR LOWER("Image") LIKE '%\ftp.exe') AND ("CommandLine" LIKE '%10.%' OR "CommandLine" LIKE '%192.168.%' OR "CommandLine" LIKE '%172.%' OR "CommandLine" LIKE '%\\\\%') THEN 'SCP_SFTP_Transfer'
    WHEN "EventCode" = '11' AND (LOWER("TargetFilename") LIKE '%.exe' OR LOWER("TargetFilename") LIKE '%.dll' OR LOWER("TargetFilename") LIKE '%.ps1' OR LOWER("TargetFilename") LIKE '%.bat' OR LOWER("TargetFilename") LIKE '%.cmd' OR LOWER("TargetFilename") LIKE '%.vbs' OR LOWER("TargetFilename") LIKE '%.msi') AND ("TargetFilename" LIKE '%\Windows\Temp\%' OR "TargetFilename" LIKE '%\ProgramData\%' OR "TargetFilename" LIKE '%\Users\Public\%') AND (LOWER("Image") = 'system' OR LOWER("Image") LIKE '%\system') THEN 'SMB_Executable_Drop'
    ELSE 'Unknown'
  END AS detection_method
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND starttime > NOW() - 24 HOURS
  AND (
    (
      "EventCode" IN ('1') AND
      (
        (LOWER("Image") LIKE '%\certutil.exe' AND ("CommandLine" LIKE '%urlcache%' OR "CommandLine" LIKE '%\\\\%'))
        OR (LOWER("Image") LIKE '%\bitsadmin.exe' AND (LOWER("CommandLine") LIKE '%/transfer%' OR LOWER("CommandLine") LIKE '%/addfile%'))
        OR (LOWER("Image") LIKE '%\esentutl.exe' AND LOWER("CommandLine") LIKE '%/cp%' AND "CommandLine" LIKE '%\\\\%')
        OR (LOWER("Image") LIKE '%\robocopy.exe' AND "CommandLine" LIKE '%\\\\%')
        OR ((LOWER("Image") LIKE '%\psexec.exe' OR LOWER("Image") LIKE '%\paexec.exe') AND ("CommandLine" LIKE '%\\\\%' OR "CommandLine" LIKE '%10.%' OR "CommandLine" LIKE '%192.168.%'))
        OR ((LOWER("Image") LIKE '%\scp.exe' OR LOWER("Image") LIKE '%\sftp.exe' OR LOWER("Image") LIKE '%\winscp.exe') AND ("CommandLine" LIKE '%10.%' OR "CommandLine" LIKE '%192.168.%'))
      )
    )
    OR (
      "EventCode" = '11' AND
      (LOWER("TargetFilename") LIKE '%.exe' OR LOWER("TargetFilename") LIKE '%.dll' OR LOWER("TargetFilename") LIKE '%.ps1' OR LOWER("TargetFilename") LIKE '%.bat' OR LOWER("TargetFilename") LIKE '%.vbs' OR LOWER("TargetFilename") LIKE '%.msi') AND
      ("TargetFilename" LIKE '%\Windows\Temp\%' OR "TargetFilename" LIKE '%\ProgramData\%' OR "TargetFilename" LIKE '%\Users\Public\%' OR "TargetFilename" LIKE '%\Windows\System32\%') AND
      (LOWER("Image") = 'system' OR LOWER("Image") LIKE '%\system')
    )
  )
ORDER BY starttime DESC

high severity high confidence

Data Sources

Microsoft Windows Security Event Log Microsoft Sysmon via QRadar DSM QRadar SIEM log source

Required Tables

events

False Positives

IT operations teams using certutil with -urlcache for legitimate software staging or certificate management workflows
Enterprise patch management systems (SCCM, Intune) using bitsadmin /transfer for controlled update distribution
Authorized penetration testers using psexec or paexec during scheduled assessments of internal network segments
Backup solutions running as SYSTEM that create executable restore artifacts in ProgramData or Windows\Temp

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon (EventCode=1 OR EventCode=11)
| parse xml field=_raw
// Extract common fields
| parse "<Image><![CDATA[*]]></Image>" as process_image nodrop
| parse "<CommandLine><![CDATA[*]]></CommandLine>" as command_line nodrop
| parse "<ParentImage><![CDATA[*]]></ParentImage>" as parent_image nodrop
| parse "<TargetFilename><![CDATA[*]]></TargetFilename>" as target_filename nodrop
| parse "<User><![CDATA[*]]></User>" as username nodrop
| parse "<Computer>*</Computer>" as hostname nodrop
// Normalize paths to lowercase for matching
| toLowerCase(process_image) as image_lower
| toLowerCase(command_line) as cmdline_lower
| toLowerCase(target_filename) as targetfile_lower
// Branch A: LOLBin transfers
| eval IsCertutil = if(EventCode="1" AND (image_lower matches "*\certutil.exe") AND (cmdline_lower matches "*urlcache*" OR cmdline_lower matches "*-f*" OR cmdline_lower matches "*\\\\*"), 1, 0)
| eval IsBitsadmin = if(EventCode="1" AND (image_lower matches "*\bitsadmin.exe") AND (cmdline_lower matches "*/transfer*" OR cmdline_lower matches "*/addfile*" OR cmdline_lower matches "*/upload*"), 1, 0)
| eval IsEsentutl = if(EventCode="1" AND (image_lower matches "*\esentutl.exe") AND (cmdline_lower matches "*/cp*" OR cmdline_lower matches "*/y*") AND command_line matches "*\\\\*", 1, 0)
| eval IsRobocopy = if(EventCode="1" AND (image_lower matches "*\robocopy.exe") AND command_line matches "*\\\\*", 1, 0)
// Branch B: Transfer tools
| eval IsPsExec = if(EventCode="1" AND (image_lower matches "*psexec.exe" OR image_lower matches "*psexec64.exe" OR image_lower matches "*paexec.exe") AND (command_line matches "*\\\\*" OR command_line matches "*10.*" OR command_line matches "*192.168.*" OR command_line matches "*172.1*"), 1, 0)
| eval IsScpSftp = if(EventCode="1" AND (image_lower matches "*\scp.exe" OR image_lower matches "*\sftp.exe" OR image_lower matches "*\winscp.exe" OR image_lower matches "*\ftp.exe") AND (command_line matches "*10.*" OR command_line matches "*192.168.*" OR command_line matches "*172.*" OR command_line matches "*\\\\*"), 1, 0)
// Branch C: SMB executable drops
| eval IsSMBDrop = if(EventCode="11" AND (targetfile_lower matches "*.exe" OR targetfile_lower matches "*.dll" OR targetfile_lower matches "*.ps1" OR targetfile_lower matches "*.bat" OR targetfile_lower matches "*.cmd" OR targetfile_lower matches "*.vbs" OR targetfile_lower matches "*.msi") AND (targetfile_lower matches "*\windows\temp\*" OR targetfile_lower matches "*\programdata\*" OR targetfile_lower matches "*\users\public\*" OR targetfile_lower matches "*\windows\system32\*") AND (image_lower = "system" OR image_lower matches "*\system"), 1, 0)
| where IsCertutil=1 OR IsBitsadmin=1 OR IsEsentutl=1 OR IsRobocopy=1 OR IsPsExec=1 OR IsScpSftp=1 OR IsSMBDrop=1
| eval detection_method = if(IsSMBDrop=1, "SMB_Executable_Drop", if(IsCertutil=1, "Certutil_Transfer", if(IsBitsadmin=1, "BITSAdmin_Transfer", if(IsEsentutl=1, "Esentutl_Transfer", if(IsRobocopy=1, "Robocopy_Transfer", if(IsPsExec=1, "PsExec_Copy", if(IsScpSftp=1, "SCP_SFTP_Transfer", "Unknown")))))))
| fields _messageTime, hostname, username, process_image, command_line, target_filename, parent_image, detection_method
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon (EventCode 1 and 11) Sumo Logic Installed Collector with Windows source

Required Tables

_sourceCategory=windows/sysmon

False Positives

Legitimate use of robocopy by IT teams for bulk file migrations between servers using UNC administrative shares
Software deployment pipelines that invoke certutil -urlcache to pre-stage installers in Windows\Temp prior to execution
Authorized remote management via psexec by helpdesk or operations teams connecting to RFC1918 hosts for troubleshooting
Antivirus or EDR product updates writing signed executables to System32 or ProgramData via SYSTEM context

Google Chronicle / SecOps

yaral

rule lateral_tool_transfer_t1570 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects lateral tool transfer via LOLBin abuse, transfer tools targeting internal hosts, and SMB-initiated executable drops. Covers T1570 TTPs used by BlackCat, Netwalker, Emotet, and Volt Typhoon."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1570"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    (
      // Branch A: LOLBin transfers — certutil, bitsadmin, esentutl, robocopy with transfer indicators
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.principal.process.file.full_path, `(?i)(certutil|bitsadmin|esentutl|robocopy|expand|makecab)\.exe$`)
        )
        and (
          re.regex($e.principal.process.command_line, `(?i)(urlcache|/transfer|/addfile|/upload|/cp\b|\\\\[A-Za-z0-9\-\.]+\\)`) or
          re.regex($e.principal.process.command_line, `\\\\\\\\`)
        )
      )
      or
      // Branch B: Transfer tools referencing internal RFC1918 hosts or UNC paths
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.principal.process.file.full_path, `(?i)(psexec|psexec64|paexec|scp|sftp|winscp|ftp)\.exe$`)
        and (
          re.regex($e.principal.process.command_line, `\\\\\\\\`) or
          re.regex($e.principal.process.command_line, `(?:10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|192\.168\.)`)
        )
      )
      or
      // Branch C: SMB executable drops — System process writing executables to sensitive dirs
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)\.(exe|dll|ps1|bat|cmd|vbs|hta|js|msi|scr|cpl)$`)
        and re.regex($e.target.file.full_path, `(?i)\\(Windows\\Temp|Windows\\System32|Windows\\SysWOW64|ProgramData|Users\\Public)\\`)
        and re.regex($e.principal.process.file.full_path, `(?i)(^|\\)System$`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows endpoint telemetry ingested into Chronicle Sysmon events forwarded to Chronicle

Required Tables

process_launch UDM events file_creation UDM events

False Positives

Enterprise software distribution tools (PDQ Deploy, SCCM) using psexec or robocopy to push software packages to endpoints across administrative shares
Certutil invoked by PKI administrators for certificate enrollment and cache operations that incidentally match urlcache patterns
IT helpdesk remote support sessions using WinSCP or FTP tools to transfer configuration files to internal servers in RFC1918 space
Legitimate Windows Update mechanisms or trusted installer processes creating system binaries in System32 via SYSTEM context

CrowdStrike LogScale (CQL)

cql

// Branch A: LOLBin lateral transfers
#repo=base_sensor #event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(certutil|bitsadmin|esentutl|robocopy|expand|makecab)\.exe$/
| CommandLine = /(?i)(urlcache|\/transfer|\/addfile|\/upload|\/cp\b|\/y\b|\\\\[a-zA-Z0-9\-\.]+\\)/
| DetectionBranch := "LOLBin_Transfer"
| FileName := ImageFileName
| groupBy([aid, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionBranch], function=count(aid, as=EventCount))

// Branch B: Transfer tools referencing internal hosts
| union (
  #repo=base_sensor #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)(psexec|psexec64|paexec|scp|sftp|winscp|ftp)\.exe$/
  | CommandLine = /(?i)(\\\\[a-zA-Z]|(?:10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|192\.168\.))/
  | DetectionBranch := "Transfer_Tool"
  | FileName := ImageFileName
  | groupBy([aid, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionBranch], function=count(aid, as=EventCount))
)

// Branch C: SMB executable drops via System process
| union (
  #repo=base_sensor #event_simpleName=PeFileWritten
  | TargetFileName = /(?i)\.(exe|dll|ps1|bat|cmd|vbs|hta|js|msi|scr|cpl)$/
  | TargetFileName = /(?i)\\(Windows\\Temp|Windows\\System32|Windows\\SysWOW64|ProgramData|Users\\Public)\\/
  | ImageFileName = /(?i)(^|\\)System\.exe$/
  | DetectionBranch := "SMB_Executable_Drop"
  | FileName := TargetFileName
  | groupBy([aid, ComputerName, UserName, FileName, TargetFileName, DetectionBranch], function=count(aid, as=EventCount))
)

| sort(EventCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon LogScale (Humio) Falcon sensor base_sensor repository

Required Tables

base_sensor (ProcessRollup2, PeFileWritten)

False Positives

Authorized system administrators using certutil for WSUS certificate validation or PKI tasks that include UNC path arguments
Legitimate IT automation (Ansible, SCCM, PDQ) invoking psexec or robocopy for managed software rollout to internal endpoints
Security teams conducting authorized red team or vulnerability assessment exercises using psexec or scp against internal RFC1918 targets
Windows Installer or trusted update mechanisms using the SYSTEM process to write updated binaries to System32 or ProgramData directories

Last updated: 2026-04-21 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1570 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Lateral Tool Transfer

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Lateral Movement

Popular Detections