T1570 Google Chronicle · YARA-L

Detect Lateral Tool Transfer in Google Chronicle

Adversaries may transfer tools or other files between systems in a compromised environment. Once initial access is established, tools are staged across multiple hosts to support lateral movement, ransomware deployment, data exfiltration, or persistence. Transfer mechanisms include SMB via Windows Admin Shares (\\host\ADMIN$, \\host\C$), RDP file sharing, and native utilities such as scp, rsync, sftp, ftp, and curl. Living-Off-The-Land Binaries (LOLBins) including certutil, bitsadmin, esentutl, and robocopy are frequently abused to perform transfers while blending with legitimate activity. PsExec is widely used to copy and remotely execute binaries on target hosts. Real-world threat actors including BlackCat ransomware (psexec-based propagation), Netwalker (psexec), INC Ransomware (push to multiple endpoints), Medusa Group (PDQ Deploy for binary distribution), Emotet (network self-replication via service.exe), and Volt Typhoon (web shell replication across servers) have leveraged these techniques to propagate tools during intrusions.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1570 Lateral Tool Transfer
Canonical reference
https://attack.mitre.org/techniques/T1570/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule lateral_tool_transfer_t1570 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects lateral tool transfer via LOLBin abuse, transfer tools targeting internal hosts, and SMB-initiated executable drops. Covers T1570 TTPs used by BlackCat, Netwalker, Emotet, and Volt Typhoon."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1570"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    (
      // Branch A: LOLBin transfers — certutil, bitsadmin, esentutl, robocopy with transfer indicators
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.principal.process.file.full_path, `(?i)(certutil|bitsadmin|esentutl|robocopy|expand|makecab)\.exe$`)
        )
        and (
          re.regex($e.principal.process.command_line, `(?i)(urlcache|/transfer|/addfile|/upload|/cp\b|\\\\[A-Za-z0-9\-\.]+\\)`) or
          re.regex($e.principal.process.command_line, `\\\\\\\\`)
        )
      )
      or
      // Branch B: Transfer tools referencing internal RFC1918 hosts or UNC paths
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.principal.process.file.full_path, `(?i)(psexec|psexec64|paexec|scp|sftp|winscp|ftp)\.exe$`)
        and (
          re.regex($e.principal.process.command_line, `\\\\\\\\`) or
          re.regex($e.principal.process.command_line, `(?:10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|192\.168\.)`)
        )
      )
      or
      // Branch C: SMB executable drops — System process writing executables to sensitive dirs
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)\.(exe|dll|ps1|bat|cmd|vbs|hta|js|msi|scr|cpl)$`)
        and re.regex($e.target.file.full_path, `(?i)\\(Windows\\Temp|Windows\\System32|Windows\\SysWOW64|ProgramData|Users\\Public)\\`)
        and re.regex($e.principal.process.file.full_path, `(?i)(^|\\)System$`)
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting lateral tool transfer via three distinct branches: LOLBin abuse (certutil, bitsadmin, esentutl, robocopy) with transfer-indicative command-line patterns or UNC paths; known transfer utilities (psexec, scp, sftp, winscp) invoking internal RFC1918 addresses or UNC shares; and file creation events where the System process drops executable file types into sensitive Windows directories, which is characteristic of SMB-based lateral file staging.

Data Sources

Google Chronicle UDMWindows endpoint telemetry ingested into ChronicleSysmon events forwarded to Chronicle

Required Tables

process_launch UDM eventsfile_creation UDM events

False Positives & Tuning

  • Enterprise software distribution tools (PDQ Deploy, SCCM) using psexec or robocopy to push software packages to endpoints across administrative shares
  • Certutil invoked by PKI administrators for certificate enrollment and cache operations that incidentally match urlcache patterns
  • IT helpdesk remote support sessions using WinSCP or FTP tools to transfer configuration files to internal servers in RFC1918 space
  • Legitimate Windows Update mechanisms or trusted installer processes creating system binaries in System32 via SYSTEM context
Download portable Sigma rule (.yml)

Other platforms for T1570

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Executable to Remote ADMIN$ Share via SMB

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing '\\127.0.0.1\ADMIN$'. Sysmon Event ID 11 on the destination (localhost): FileCreated event for lateral_calc_test.exe in C:\Windows\Temp\ with Image=System (PID 4) — this is the SMB server process creating the file. Windows Security Event ID 5145 if object access auditing enabled: network share access to ADMIN$ from localhost.

  2. Test 2LOLBin Transfer via Certutil URL Cache to UNC Path Staging

    Expected signal: Sysmon Event ID 1: certutil.exe with CommandLine containing '-urlcache', '-split', '-f', and the destination path. Sysmon Event ID 3: outbound network connection to 127.0.0.1:8080 (connection refused, but the attempt is logged). Windows Security Event ID 4688 if process command line auditing is enabled.

  3. Test 3BITSAdmin SMB File Transfer Between Internal Hosts

    Expected signal: Sysmon Event ID 1: bitsadmin.exe with CommandLine containing '/transfer', 'LateralMoveJob', '/download', and the UNC source path '\\127.0.0.1\C$'. Sysmon Event ID 11: FileCreated for bits_lateral_test.exe in C:\Windows\Temp\. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from bitsadmin process. BITS Event ID 59 in Microsoft-Windows-Bits-Client/Operational log: job transfer started.

  4. Test 4Esentutl File Copy to Remote Share

    Expected signal: Sysmon Event ID 1: esentutl.exe with CommandLine containing '/cp' and the source/destination paths. Sysmon Event ID 11: FileCreated for esentutl_lateral_test.exe in C:\Windows\Temp\, with Image=esentutl.exe as the initiating process. Windows Security Event ID 4688 if process auditing enabled.

  5. Test 5SCP Lateral File Transfer to Internal Host

    Expected signal: Linux auditd EXECVE record: scp with arguments including the destination IP 192.168.1.100. Syslog entry from the SSH client showing connection attempt. On macOS: unified log entry from com.openssh.sshd. If Sysmon for Linux is deployed: ProcessCreate event for scp with CommandLine containing the internal IP.

Last updated: 2026-04-21 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1570 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1105Ingress Tool TransferT1021.002SMB/Windows Admin SharesT1021.001Remote Desktop ProtocolT1021.004SSHT1197BITS JobsT1059.001PowerShellT1059.003Windows Command ShellT1569.002Service ExecutionT1027Obfuscated Files or InformationT1486Data Encrypted for Impact

Same Tactic: Lateral Movement

Popular Detections