Which SIEM platforms have a T1570 detection rule?

df00tech provides T1570 (Lateral Tool Transfer) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1570 detection?

The T1570 detection is rated high severity with high confidence.

What are common false positives for T1570?

Common false positives for T1570 include: SCCM/Microsoft Endpoint Configuration Manager pushes software to endpoints via SMB, causing the System process to create executables in ProgramData and Windows directories — generates Branch C alerts; IT automation tools (Ansible WinRM, Chef, Puppet, PDQ Deploy) legitimately use robocopy, bitsadmin, and psexec for software distribution across managed hosts; Backup agents (Veeam, Acronis, Commvault) use certutil and bitsadmin for scheduled transfer tasks, and robocopy for file replication jobs.

T1570

Lateral Tool Transfer

Q: What data sources are required to detect Lateral Tool Transfer (T1570)?

Detecting Lateral Tool Transfer requires the following data sources: File: File Creation, Network Share: Network Share Access, Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

Lateral Movement Last updated: April 21, 2026

Adversaries may transfer tools or other files between systems in a compromised environment. Once initial access is established, tools are staged across multiple hosts to support lateral movement, ransomware deployment, data exfiltration, or persistence. Transfer mechanisms include SMB via Windows Admin Shares (\\host\ADMIN$, \\host\C$), RDP file sharing, and native utilities such as scp, rsync, sftp, ftp, and curl. Living-Off-The-Land Binaries (LOLBins) including certutil, bitsadmin, esentutl, and robocopy are frequently abused to perform transfers while blending with legitimate activity. PsExec is widely used to copy and remotely execute binaries on target hosts. Real-world threat actors including BlackCat ransomware (psexec-based propagation), Netwalker (psexec), INC Ransomware (push to multiple endpoints), Medusa Group (PDQ Deploy for binary distribution), Emotet (network self-replication via service.exe), and Volt Typhoon (web shell replication across servers) have leveraged these techniques to propagate tools during intrusions.

What is T1570 Lateral Tool Transfer?

Lateral Tool Transfer (T1570) maps to the Lateral Movement tactic — the adversary is trying to move through your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Lateral Tool Transfer, covering the data sources and telemetry it touches: File: File Creation, Network Share: Network Share Access, Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Lateral Movement
Technique: T1570 Lateral Tool Transfer
Canonical reference: https://attack.mitre.org/techniques/T1570/

Microsoft Sentinel / Defender

kusto

let ExecutableExtensions = dynamic([".exe", ".dll", ".ps1", ".bat", ".cmd", ".vbs", ".hta", ".js", ".msi", ".scr", ".cpl"]);
let LOLBins = dynamic(["certutil.exe", "bitsadmin.exe", "esentutl.exe", "robocopy.exe", "expand.exe", "makecab.exe"]);
let TransferTools = dynamic(["psexec.exe", "psexec64.exe", "paexec.exe", "scp.exe", "sftp.exe", "ftp.exe", "winscp.exe"]);
let SensitiveDirs = dynamic(["\\Windows\\Temp\\", "\\Windows\\System32\\", "\\Windows\\SysWOW64\\", "\\ProgramData\\", "\\Users\\Public\\"]);
// Branch A: LOLBins executing lateral file transfers
let LOLBinTransfers = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (LOLBins)
| where ProcessCommandLine has @"\\\\"
    or (FileName =~ "certutil.exe" and ProcessCommandLine has_any ("urlcache", "-f", "-split"))
    or (FileName =~ "bitsadmin.exe" and ProcessCommandLine has_any ("/transfer", "/addfile", "/upload"))
    or (FileName =~ "esentutl.exe" and ProcessCommandLine has_any ("/cp", "/y"))
    or (FileName =~ "robocopy.exe" and ProcessCommandLine matches regex @"\\\\[A-Za-z0-9\-\.]+\\")
| extend IsCertutil = FileName =~ "certutil.exe"
| extend IsBitsadmin = FileName =~ "bitsadmin.exe"
| extend IsEsentutl = FileName =~ "esentutl.exe"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsCertutil, IsBitsadmin, IsEsentutl, DetectionBranch="LOLBin_Transfer";
// Branch B: Transfer tools referencing internal hosts or UNC paths
let ToolTransfers = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (TransferTools)
| where ProcessCommandLine has @"\\\\"
    or ProcessCommandLine matches regex @"(?:^|[\s\t@:])(?:10\.|172\.(?:1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch="Transfer_Tool";
// Branch C: Executables dropped via SMB (System process writing executables to sensitive directories)
let SMBExecutableDrops = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName has_any (ExecutableExtensions)
| where FolderPath has_any (SensitiveDirs)
| where InitiatingProcessFileName =~ "System"
| project Timestamp, DeviceName,
         AccountName=InitiatingProcessAccountName,
         FileName, FolderPath, SHA256,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch="SMB_Executable_Drop";
// Union all branches
LOLBinTransfers
| union ToolTransfers
| union SMBExecutableDrops
| sort by Timestamp desc

Detects lateral tool transfer via three complementary branches using Microsoft Defender for Endpoint telemetry. Branch A identifies LOLBins (certutil, bitsadmin, esentutl, robocopy) executing file transfers with UNC paths or known transfer-specific flags. Branch B identifies dedicated transfer tools (psexec, scp, sftp, ftp, winscp) referencing internal IP ranges or UNC paths. Branch C detects executables written to sensitive directories via the Windows System process, the telemetry signature of an SMB file write from a remote host. Together these branches cover the primary T1570 transfer mechanisms without requiring a single monolithic query.

high severity high confidence

Data Sources

File: File Creation Network Share: Network Share Access Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

SCCM/Microsoft Endpoint Configuration Manager pushes software to endpoints via SMB, causing the System process to create executables in ProgramData and Windows directories — generates Branch C alerts
IT automation tools (Ansible WinRM, Chef, Puppet, PDQ Deploy) legitimately use robocopy, bitsadmin, and psexec for software distribution across managed hosts
Backup agents (Veeam, Acronis, Commvault) use certutil and bitsadmin for scheduled transfer tasks, and robocopy for file replication jobs
Developer workflows using scp or sftp to deploy artifacts to internal build/staging servers from workstations
Security and vulnerability scanning tools that copy lightweight agents to remote hosts for assessment purposes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11)
| eval IsCertutil=if(EventCode=1 AND match(lower(Image), "\\certutil\.exe$") AND (match(CommandLine, "(?i)(urlcache|/transfer|/cp)") OR match(CommandLine, "\\\\\\\\")), 1, 0)
| eval IsBitsadmin=if(EventCode=1 AND match(lower(Image), "\\bitsadmin\.exe$") AND match(lower(CommandLine), "(/transfer|/addfile|/upload)"), 1, 0)
| eval IsEsentutl=if(EventCode=1 AND match(lower(Image), "\\esentutl\.exe$") AND match(lower(CommandLine), "(/cp|/y)") AND match(CommandLine, "\\\\\\\\"), 1, 0)
| eval IsRobocopy=if(EventCode=1 AND match(lower(Image), "\\robocopy\.exe$") AND match(CommandLine, "\\\\\\\\"), 1, 0)
| eval IsPsExec=if(EventCode=1 AND match(lower(Image), "\\(psexec|psexec64|paexec)\.exe$") AND (match(CommandLine, "\\\\\\\\") OR match(CommandLine, "(?:10\\.|172\\.1[6-9]\\.|172\\.2[0-9]\\.|172\\.3[01]\\.|192\\.168\\.)")), 1, 0)
| eval IsScpSftp=if(EventCode=1 AND match(lower(Image), "\\(scp|sftp|winscp|ftp)\.exe$") AND (match(CommandLine, "\\\\\\\\") OR match(CommandLine, "(?:10\\.|172\\.1[6-9]\\.|172\\.2[0-9]\\.|172\\.3[01]\\.|192\\.168\\.)")), 1, 0)
| eval IsSMBDrop=if(EventCode=11 AND match(lower(TargetFilename), "\.(exe|dll|ps1|bat|cmd|vbs|hta|msi|scr)$") AND match(TargetFilename, "(?i)\\(Windows\\Temp|Windows\\System32|Windows\\SysWOW64|ProgramData|Users\\Public)\\") AND (Image="System" OR match(Image, "\\\\System$")), 1, 0)
| where IsCertutil=1 OR IsBitsadmin=1 OR IsEsentutl=1 OR IsRobocopy=1 OR IsPsExec=1 OR IsScpSftp=1 OR IsSMBDrop=1
| eval DetectionMethod=case(IsSMBDrop=1, "SMB_Executable_Drop", IsCertutil=1, "Certutil_Transfer", IsBitsadmin=1, "BITSAdmin_Transfer", IsEsentutl=1, "Esentutl_Transfer", IsRobocopy=1, "Robocopy_Transfer", IsPsExec=1, "PsExec_Copy", IsScpSftp=1, "SCP_SFTP_Transfer", true(), "Unknown")
| eval TargetFile=coalesce(TargetFilename, Image)
| eval CmdLine=coalesce(CommandLine, "N/A")
| table _time, host, User, Image, CmdLine, TargetFile, DetectionMethod, ParentImage, ParentCommandLine
| sort - _time

Detects lateral tool transfer using Sysmon Event ID 1 (Process Create) and Event ID 11 (File Create). Seven detection branches cover certutil/bitsadmin/esentutl/robocopy LOLBin transfers, psexec/scp/sftp tool-based transfers, and executables written to sensitive staging directories via the System process (SMB remote write signature). Each event is classified into a DetectionMethod field to guide analyst triage. The eval chain allows OR-based detection across branches without duplicating events.

high severity high confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

SCCM/Microsoft Endpoint Configuration Manager pushes software to endpoints via SMB, causing the System process to create executables in ProgramData and Windows directories
IT automation tools (Ansible WinRM, Chef, Puppet, PDQ Deploy) legitimately use robocopy, bitsadmin, and psexec for software distribution across managed hosts
Backup agents (Veeam, Acronis, Commvault) use certutil and bitsadmin for scheduled transfer tasks and robocopy for file replication
Developer workflows using scp or sftp to deploy build artifacts to internal staging or build servers
Security tools (Tenable, Qualys, CrowdStrike) that copy assessment agents to remote hosts during scanning operations

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where (
    /* Branch A: LOLBin lateral transfers */
    (
      event.category == "process" and event.type == "start" and
      process.name in~ ("certutil.exe", "bitsadmin.exe", "esentutl.exe", "robocopy.exe", "expand.exe", "makecab.exe") and
      (
        process.command_line like~ "*\\\\*" or
        (process.name == "certutil.exe" and (process.command_line like~ "*urlcache*" or process.command_line like~ "*-f*" or process.command_line like~ "*-split*")) or
        (process.name == "bitsadmin.exe" and (process.command_line like~ "*/transfer*" or process.command_line like~ "*/addfile*" or process.command_line like~ "*/upload*")) or
        (process.name == "esentutl.exe" and (process.command_line like~ "*/cp*" or process.command_line like~ "*/y*")) or
        (process.name == "robocopy.exe" and process.command_line like~ "*\\\\*")
      )
    ) or
    /* Branch B: Transfer tools referencing internal hosts */
    (
      event.category == "process" and event.type == "start" and
      process.name in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "scp.exe", "sftp.exe", "ftp.exe", "winscp.exe") and
      (
        process.command_line like~ "*\\\\*" or
        process.command_line : ("*10.*", "*172.1[6-9].*", "*172.2*", "*172.3[01].*", "*192.168.*")
      )
    ) or
    /* Branch C: Executables dropped via SMB by System process */
    (
      event.category == "file" and event.type == "creation" and
      process.name == "System" and
      file.extension in~ ("exe", "dll", "ps1", "bat", "cmd", "vbs", "hta", "js", "msi", "scr", "cpl") and
      file.path like~ ("*\\Windows\\Temp\\*", "*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*")
    )
  )
]

Detects lateral tool transfer via three branches: LOLBins (certutil, bitsadmin, esentutl, robocopy) executing with UNC paths or transfer-specific flags; known transfer tools (psexec, scp, sftp, winscp) referencing internal RFC1918 addresses or UNC paths; and executables dropped to sensitive directories by the System process (indicating SMB-based file drop). Covers BlackCat, Netwalker, Emotet, and Volt Typhoon TTPs.

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-system.security-*

False Positives

System administrators using robocopy or psexec for legitimate software deployment to remote hosts via UNC paths
Backup and file sync agents (e.g., Veeam, Acronis) running as SYSTEM and writing executables to ProgramData or Temp directories
IT automation tools (SCCM, PDQ Deploy, Ansible) using certutil or bitsadmin for software distribution across endpoints
Security scanning products using psexec or similar tools for remote assessment tasks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Computer" AS hostname,
  QIDNAME(qid) AS event_name,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "TargetFilename" AS target_file,
  CASE
    WHEN LOWER("Image") LIKE '%\certutil.exe' AND ("CommandLine" LIKE '%urlcache%' OR "CommandLine" LIKE '%/transfer%' OR "CommandLine" LIKE '%-f%') THEN 'Certutil_Transfer'
    WHEN LOWER("Image") LIKE '%\bitsadmin.exe' AND (LOWER("CommandLine") LIKE '%/transfer%' OR LOWER("CommandLine") LIKE '%/addfile%' OR LOWER("CommandLine") LIKE '%/upload%') THEN 'BITSAdmin_Transfer'
    WHEN LOWER("Image") LIKE '%\esentutl.exe' AND (LOWER("CommandLine") LIKE '%/cp%' OR LOWER("CommandLine") LIKE '%/y%') AND "CommandLine" LIKE '%\\\\%' THEN 'Esentutl_Transfer'
    WHEN LOWER("Image") LIKE '%\robocopy.exe' AND "CommandLine" LIKE '%\\\\%' THEN 'Robocopy_Transfer'
    WHEN (LOWER("Image") LIKE '%\psexec.exe' OR LOWER("Image") LIKE '%\psexec64.exe' OR LOWER("Image") LIKE '%\paexec.exe') AND ("CommandLine" LIKE '%\\\\%' OR "CommandLine" LIKE '%10.%' OR "CommandLine" LIKE '%192.168.%' OR "CommandLine" LIKE '%172.%') THEN 'PsExec_Copy'
    WHEN (LOWER("Image") LIKE '%\scp.exe' OR LOWER("Image") LIKE '%\sftp.exe' OR LOWER("Image") LIKE '%\winscp.exe' OR LOWER("Image") LIKE '%\ftp.exe') AND ("CommandLine" LIKE '%10.%' OR "CommandLine" LIKE '%192.168.%' OR "CommandLine" LIKE '%172.%' OR "CommandLine" LIKE '%\\\\%') THEN 'SCP_SFTP_Transfer'
    WHEN "EventCode" = '11' AND (LOWER("TargetFilename") LIKE '%.exe' OR LOWER("TargetFilename") LIKE '%.dll' OR LOWER("TargetFilename") LIKE '%.ps1' OR LOWER("TargetFilename") LIKE '%.bat' OR LOWER("TargetFilename") LIKE '%.cmd' OR LOWER("TargetFilename") LIKE '%.vbs' OR LOWER("TargetFilename") LIKE '%.msi') AND ("TargetFilename" LIKE '%\Windows\Temp\%' OR "TargetFilename" LIKE '%\ProgramData\%' OR "TargetFilename" LIKE '%\Users\Public\%') AND (LOWER("Image") = 'system' OR LOWER("Image") LIKE '%\system') THEN 'SMB_Executable_Drop'
    ELSE 'Unknown'
  END AS detection_method
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND starttime > NOW() - 24 HOURS
  AND (
    (
      "EventCode" IN ('1') AND
      (
        (LOWER("Image") LIKE '%\certutil.exe' AND ("CommandLine" LIKE '%urlcache%' OR "CommandLine" LIKE '%\\\\%'))
        OR (LOWER("Image") LIKE '%\bitsadmin.exe' AND (LOWER("CommandLine") LIKE '%/transfer%' OR LOWER("CommandLine") LIKE '%/addfile%'))
        OR (LOWER("Image") LIKE '%\esentutl.exe' AND LOWER("CommandLine") LIKE '%/cp%' AND "CommandLine" LIKE '%\\\\%')
        OR (LOWER("Image") LIKE '%\robocopy.exe' AND "CommandLine" LIKE '%\\\\%')
        OR ((LOWER("Image") LIKE '%\psexec.exe' OR LOWER("Image") LIKE '%\paexec.exe') AND ("CommandLine" LIKE '%\\\\%' OR "CommandLine" LIKE '%10.%' OR "CommandLine" LIKE '%192.168.%'))
        OR ((LOWER("Image") LIKE '%\scp.exe' OR LOWER("Image") LIKE '%\sftp.exe' OR LOWER("Image") LIKE '%\winscp.exe') AND ("CommandLine" LIKE '%10.%' OR "CommandLine" LIKE '%192.168.%'))
      )
    )
    OR (
      "EventCode" = '11' AND
      (LOWER("TargetFilename") LIKE '%.exe' OR LOWER("TargetFilename") LIKE '%.dll' OR LOWER("TargetFilename") LIKE '%.ps1' OR LOWER("TargetFilename") LIKE '%.bat' OR LOWER("TargetFilename") LIKE '%.vbs' OR LOWER("TargetFilename") LIKE '%.msi') AND
      ("TargetFilename" LIKE '%\Windows\Temp\%' OR "TargetFilename" LIKE '%\ProgramData\%' OR "TargetFilename" LIKE '%\Users\Public\%' OR "TargetFilename" LIKE '%\Windows\System32\%') AND
      (LOWER("Image") = 'system' OR LOWER("Image") LIKE '%\system')
    )
  )
ORDER BY starttime DESC

AQL query against Sysmon EventCode 1 (process creation) and EventCode 11 (file creation) events to detect lateral tool transfer via LOLBin abuse (certutil, bitsadmin, esentutl, robocopy with UNC paths or transfer flags), transfer tool execution (psexec, scp, sftp, winscp targeting RFC1918 addresses), and SMB-initiated executable drops to sensitive directories by the System process.

high severity high confidence

Data Sources

Microsoft Windows Security Event Log Microsoft Sysmon via QRadar DSM QRadar SIEM log source

Required Tables

events

False Positives

IT operations teams using certutil with -urlcache for legitimate software staging or certificate management workflows
Enterprise patch management systems (SCCM, Intune) using bitsadmin /transfer for controlled update distribution
Authorized penetration testers using psexec or paexec during scheduled assessments of internal network segments
Backup solutions running as SYSTEM that create executable restore artifacts in ProgramData or Windows\Temp

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon (EventCode=1 OR EventCode=11)
| parse xml field=_raw
// Extract common fields
| parse "<Image><![CDATA[*]]></Image>" as process_image nodrop
| parse "<CommandLine><![CDATA[*]]></CommandLine>" as command_line nodrop
| parse "<ParentImage><![CDATA[*]]></ParentImage>" as parent_image nodrop
| parse "<TargetFilename><![CDATA[*]]></TargetFilename>" as target_filename nodrop
| parse "<User><![CDATA[*]]></User>" as username nodrop
| parse "<Computer>*</Computer>" as hostname nodrop
// Normalize paths to lowercase for matching
| toLowerCase(process_image) as image_lower
| toLowerCase(command_line) as cmdline_lower
| toLowerCase(target_filename) as targetfile_lower
// Branch A: LOLBin transfers
| eval IsCertutil = if(EventCode="1" AND (image_lower matches "*\certutil.exe") AND (cmdline_lower matches "*urlcache*" OR cmdline_lower matches "*-f*" OR cmdline_lower matches "*\\\\*"), 1, 0)
| eval IsBitsadmin = if(EventCode="1" AND (image_lower matches "*\bitsadmin.exe") AND (cmdline_lower matches "*/transfer*" OR cmdline_lower matches "*/addfile*" OR cmdline_lower matches "*/upload*"), 1, 0)
| eval IsEsentutl = if(EventCode="1" AND (image_lower matches "*\esentutl.exe") AND (cmdline_lower matches "*/cp*" OR cmdline_lower matches "*/y*") AND command_line matches "*\\\\*", 1, 0)
| eval IsRobocopy = if(EventCode="1" AND (image_lower matches "*\robocopy.exe") AND command_line matches "*\\\\*", 1, 0)
// Branch B: Transfer tools
| eval IsPsExec = if(EventCode="1" AND (image_lower matches "*psexec.exe" OR image_lower matches "*psexec64.exe" OR image_lower matches "*paexec.exe") AND (command_line matches "*\\\\*" OR command_line matches "*10.*" OR command_line matches "*192.168.*" OR command_line matches "*172.1*"), 1, 0)
| eval IsScpSftp = if(EventCode="1" AND (image_lower matches "*\scp.exe" OR image_lower matches "*\sftp.exe" OR image_lower matches "*\winscp.exe" OR image_lower matches "*\ftp.exe") AND (command_line matches "*10.*" OR command_line matches "*192.168.*" OR command_line matches "*172.*" OR command_line matches "*\\\\*"), 1, 0)
// Branch C: SMB executable drops
| eval IsSMBDrop = if(EventCode="11" AND (targetfile_lower matches "*.exe" OR targetfile_lower matches "*.dll" OR targetfile_lower matches "*.ps1" OR targetfile_lower matches "*.bat" OR targetfile_lower matches "*.cmd" OR targetfile_lower matches "*.vbs" OR targetfile_lower matches "*.msi") AND (targetfile_lower matches "*\windows\temp\*" OR targetfile_lower matches "*\programdata\*" OR targetfile_lower matches "*\users\public\*" OR targetfile_lower matches "*\windows\system32\*") AND (image_lower = "system" OR image_lower matches "*\system"), 1, 0)
| where IsCertutil=1 OR IsBitsadmin=1 OR IsEsentutl=1 OR IsRobocopy=1 OR IsPsExec=1 OR IsScpSftp=1 OR IsSMBDrop=1
| eval detection_method = if(IsSMBDrop=1, "SMB_Executable_Drop", if(IsCertutil=1, "Certutil_Transfer", if(IsBitsadmin=1, "BITSAdmin_Transfer", if(IsEsentutl=1, "Esentutl_Transfer", if(IsRobocopy=1, "Robocopy_Transfer", if(IsPsExec=1, "PsExec_Copy", if(IsScpSftp=1, "SCP_SFTP_Transfer", "Unknown")))))))
| fields _messageTime, hostname, username, process_image, command_line, target_filename, parent_image, detection_method
| sort by _messageTime desc

Sumo Logic CSE query targeting Sysmon EventCode 1 (process create) and EventCode 11 (file create) to identify lateral tool transfer activity. Covers LOLBin abuse (certutil urlcache, bitsadmin /transfer, esentutl /cp, robocopy to UNC paths), transfer tool execution (psexec/paexec/scp/sftp/winscp targeting internal RFC1918 space), and SMB-triggered executable drops by the System process to high-risk directories.

high severity high confidence

Data Sources

Windows Sysmon (EventCode 1 and 11) Sumo Logic Installed Collector with Windows source

Required Tables

_sourceCategory=windows/sysmon

False Positives

Legitimate use of robocopy by IT teams for bulk file migrations between servers using UNC administrative shares
Software deployment pipelines that invoke certutil -urlcache to pre-stage installers in Windows\Temp prior to execution
Authorized remote management via psexec by helpdesk or operations teams connecting to RFC1918 hosts for troubleshooting
Antivirus or EDR product updates writing signed executables to System32 or ProgramData via SYSTEM context

Google Chronicle / SecOps

yaral

rule lateral_tool_transfer_t1570 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects lateral tool transfer via LOLBin abuse, transfer tools targeting internal hosts, and SMB-initiated executable drops. Covers T1570 TTPs used by BlackCat, Netwalker, Emotet, and Volt Typhoon."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1570"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    (
      // Branch A: LOLBin transfers — certutil, bitsadmin, esentutl, robocopy with transfer indicators
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.principal.process.file.full_path, `(?i)(certutil|bitsadmin|esentutl|robocopy|expand|makecab)\.exe$`)
        )
        and (
          re.regex($e.principal.process.command_line, `(?i)(urlcache|/transfer|/addfile|/upload|/cp\b|\\\\[A-Za-z0-9\-\.]+\\)`) or
          re.regex($e.principal.process.command_line, `\\\\\\\\`)
        )
      )
      or
      // Branch B: Transfer tools referencing internal RFC1918 hosts or UNC paths
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.principal.process.file.full_path, `(?i)(psexec|psexec64|paexec|scp|sftp|winscp|ftp)\.exe$`)
        and (
          re.regex($e.principal.process.command_line, `\\\\\\\\`) or
          re.regex($e.principal.process.command_line, `(?:10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|192\.168\.)`)
        )
      )
      or
      // Branch C: SMB executable drops — System process writing executables to sensitive dirs
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)\.(exe|dll|ps1|bat|cmd|vbs|hta|js|msi|scr|cpl)$`)
        and re.regex($e.target.file.full_path, `(?i)\\(Windows\\Temp|Windows\\System32|Windows\\SysWOW64|ProgramData|Users\\Public)\\`)
        and re.regex($e.principal.process.file.full_path, `(?i)(^|\\)System$`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting lateral tool transfer via three distinct branches: LOLBin abuse (certutil, bitsadmin, esentutl, robocopy) with transfer-indicative command-line patterns or UNC paths; known transfer utilities (psexec, scp, sftp, winscp) invoking internal RFC1918 addresses or UNC shares; and file creation events where the System process drops executable file types into sensitive Windows directories, which is characteristic of SMB-based lateral file staging.

high severity high confidence

Data Sources

Google Chronicle UDM Windows endpoint telemetry ingested into Chronicle Sysmon events forwarded to Chronicle

Required Tables

process_launch UDM events file_creation UDM events

False Positives

Enterprise software distribution tools (PDQ Deploy, SCCM) using psexec or robocopy to push software packages to endpoints across administrative shares
Certutil invoked by PKI administrators for certificate enrollment and cache operations that incidentally match urlcache patterns
IT helpdesk remote support sessions using WinSCP or FTP tools to transfer configuration files to internal servers in RFC1918 space
Legitimate Windows Update mechanisms or trusted installer processes creating system binaries in System32 via SYSTEM context

CrowdStrike LogScale (CQL)

cql

// Branch A: LOLBin lateral transfers
#repo=base_sensor #event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(certutil|bitsadmin|esentutl|robocopy|expand|makecab)\.exe$/
| CommandLine = /(?i)(urlcache|\/transfer|\/addfile|\/upload|\/cp\b|\/y\b|\\\\[a-zA-Z0-9\-\.]+\\)/
| DetectionBranch := "LOLBin_Transfer"
| FileName := ImageFileName
| groupBy([aid, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionBranch], function=count(aid, as=EventCount))

// Branch B: Transfer tools referencing internal hosts
| union (
  #repo=base_sensor #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)(psexec|psexec64|paexec|scp|sftp|winscp|ftp)\.exe$/
  | CommandLine = /(?i)(\\\\[a-zA-Z]|(?:10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|192\.168\.))/
  | DetectionBranch := "Transfer_Tool"
  | FileName := ImageFileName
  | groupBy([aid, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionBranch], function=count(aid, as=EventCount))
)

// Branch C: SMB executable drops via System process
| union (
  #repo=base_sensor #event_simpleName=PeFileWritten
  | TargetFileName = /(?i)\.(exe|dll|ps1|bat|cmd|vbs|hta|js|msi|scr|cpl)$/
  | TargetFileName = /(?i)\\(Windows\\Temp|Windows\\System32|Windows\\SysWOW64|ProgramData|Users\\Public)\\/
  | ImageFileName = /(?i)(^|\\)System\.exe$/
  | DetectionBranch := "SMB_Executable_Drop"
  | FileName := TargetFileName
  | groupBy([aid, ComputerName, UserName, FileName, TargetFileName, DetectionBranch], function=count(aid, as=EventCount))
)

| sort(EventCount, order=desc)

CrowdStrike LogScale (CQL) query across Falcon sensor events detecting lateral tool transfer via: ProcessRollup2 events matching LOLBin executables (certutil, bitsadmin, esentutl, robocopy) with transfer-indicative command-line arguments or UNC path references; ProcessRollup2 events for known transfer tools (psexec, scp, sftp, winscp) targeting RFC1918 addresses or UNC admin shares; and PeFileWritten events where the System process drops PE/script files into sensitive directories, indicating SMB-staged lateral file transfers. Results are grouped by host and aggregated by event count.

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon LogScale (Humio) Falcon sensor base_sensor repository

Required Tables

base_sensor (ProcessRollup2, PeFileWritten)

False Positives

Authorized system administrators using certutil for WSUS certificate validation or PKI tasks that include UNC path arguments
Legitimate IT automation (Ansible, SCCM, PDQ) invoking psexec or robocopy for managed software rollout to internal endpoints
Security teams conducting authorized red team or vulnerability assessment exercises using psexec or scp against internal RFC1918 targets
Windows Installer or trusted update mechanisms using the SYSTEM process to write updated binaries to System32 or ProgramData directories

Sigma rule & cross-platform mapping

The detection logic for Lateral Tool Transfer (T1570) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1570 Sigma rules on detection.fyi

Platform-specific guides for T1570

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-21 Research depth: deep

References (11)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Copy Executable to Remote ADMIN$ Share via SMB
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing '\\127.0.0.1\ADMIN$'. Sysmon Event ID 11 on the destination (localhost): FileCreated event for lateral_calc_test.exe in C:\Windows\Temp\ with Image=System (PID 4) — this is the SMB server process creating the file. Windows Security Event ID 5145 if object access auditing enabled: network share access to ADMIN$ from localhost.
Test 2LOLBin Transfer via Certutil URL Cache to UNC Path Staging
Expected signal: Sysmon Event ID 1: certutil.exe with CommandLine containing '-urlcache', '-split', '-f', and the destination path. Sysmon Event ID 3: outbound network connection to 127.0.0.1:8080 (connection refused, but the attempt is logged). Windows Security Event ID 4688 if process command line auditing is enabled.
Test 3BITSAdmin SMB File Transfer Between Internal Hosts
Expected signal: Sysmon Event ID 1: bitsadmin.exe with CommandLine containing '/transfer', 'LateralMoveJob', '/download', and the UNC source path '\\127.0.0.1\C$'. Sysmon Event ID 11: FileCreated for bits_lateral_test.exe in C:\Windows\Temp\. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from bitsadmin process. BITS Event ID 59 in Microsoft-Windows-Bits-Client/Operational log: job transfer started.
Test 4Esentutl File Copy to Remote Share
Expected signal: Sysmon Event ID 1: esentutl.exe with CommandLine containing '/cp' and the source/destination paths. Sysmon Event ID 11: FileCreated for esentutl_lateral_test.exe in C:\Windows\Temp\, with Image=esentutl.exe as the initiating process. Windows Security Event ID 4688 if process auditing enabled.
Test 5SCP Lateral File Transfer to Internal Host
Expected signal: Linux auditd EXECVE record: scp with arguments including the destination IP 192.168.1.100. Syslog entry from the SSH client showing connection attempt. On macOS: unified log entry from com.openssh.sshd. If Sysmon for Linux is deployed: ProcessCreate event for scp with CommandLine containing the internal IP.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1570 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Lateral Tool Transfer

What is T1570 Lateral Tool Transfer?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1570

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Lateral Movement

Popular Detections

What is T1570 Lateral Tool Transfer?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1570

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Lateral Movement

Popular Detections

Get new detections in your inbox