Detect Lateral Tool Transfer in Sumo Logic CSE
Adversaries may transfer tools or other files between systems in a compromised environment. Once initial access is established, tools are staged across multiple hosts to support lateral movement, ransomware deployment, data exfiltration, or persistence. Transfer mechanisms include SMB via Windows Admin Shares (\\host\ADMIN$, \\host\C$), RDP file sharing, and native utilities such as scp, rsync, sftp, ftp, and curl. Living-Off-The-Land Binaries (LOLBins) including certutil, bitsadmin, esentutl, and robocopy are frequently abused to perform transfers while blending with legitimate activity. PsExec is widely used to copy and remotely execute binaries on target hosts. Real-world threat actors including BlackCat ransomware (psexec-based propagation), Netwalker (psexec), INC Ransomware (push to multiple endpoints), Medusa Group (PDQ Deploy for binary distribution), Emotet (network self-replication via service.exe), and Volt Typhoon (web shell replication across servers) have leveraged these techniques to propagate tools during intrusions.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1570 Lateral Tool Transfer
- Canonical reference
- https://attack.mitre.org/techniques/T1570/
Sumo Detection Query
_sourceCategory=windows/sysmon (EventCode=1 OR EventCode=11)
| parse xml field=_raw
// Extract common fields
| parse "<Image><![CDATA[*]]></Image>" as process_image nodrop
| parse "<CommandLine><![CDATA[*]]></CommandLine>" as command_line nodrop
| parse "<ParentImage><![CDATA[*]]></ParentImage>" as parent_image nodrop
| parse "<TargetFilename><![CDATA[*]]></TargetFilename>" as target_filename nodrop
| parse "<User><![CDATA[*]]></User>" as username nodrop
| parse "<Computer>*</Computer>" as hostname nodrop
// Normalize paths to lowercase for matching
| toLowerCase(process_image) as image_lower
| toLowerCase(command_line) as cmdline_lower
| toLowerCase(target_filename) as targetfile_lower
// Branch A: LOLBin transfers
| eval IsCertutil = if(EventCode="1" AND (image_lower matches "*\certutil.exe") AND (cmdline_lower matches "*urlcache*" OR cmdline_lower matches "*-f*" OR cmdline_lower matches "*\\\\*"), 1, 0)
| eval IsBitsadmin = if(EventCode="1" AND (image_lower matches "*\bitsadmin.exe") AND (cmdline_lower matches "*/transfer*" OR cmdline_lower matches "*/addfile*" OR cmdline_lower matches "*/upload*"), 1, 0)
| eval IsEsentutl = if(EventCode="1" AND (image_lower matches "*\esentutl.exe") AND (cmdline_lower matches "*/cp*" OR cmdline_lower matches "*/y*") AND command_line matches "*\\\\*", 1, 0)
| eval IsRobocopy = if(EventCode="1" AND (image_lower matches "*\robocopy.exe") AND command_line matches "*\\\\*", 1, 0)
// Branch B: Transfer tools
| eval IsPsExec = if(EventCode="1" AND (image_lower matches "*psexec.exe" OR image_lower matches "*psexec64.exe" OR image_lower matches "*paexec.exe") AND (command_line matches "*\\\\*" OR command_line matches "*10.*" OR command_line matches "*192.168.*" OR command_line matches "*172.1*"), 1, 0)
| eval IsScpSftp = if(EventCode="1" AND (image_lower matches "*\scp.exe" OR image_lower matches "*\sftp.exe" OR image_lower matches "*\winscp.exe" OR image_lower matches "*\ftp.exe") AND (command_line matches "*10.*" OR command_line matches "*192.168.*" OR command_line matches "*172.*" OR command_line matches "*\\\\*"), 1, 0)
// Branch C: SMB executable drops
| eval IsSMBDrop = if(EventCode="11" AND (targetfile_lower matches "*.exe" OR targetfile_lower matches "*.dll" OR targetfile_lower matches "*.ps1" OR targetfile_lower matches "*.bat" OR targetfile_lower matches "*.cmd" OR targetfile_lower matches "*.vbs" OR targetfile_lower matches "*.msi") AND (targetfile_lower matches "*\windows\temp\*" OR targetfile_lower matches "*\programdata\*" OR targetfile_lower matches "*\users\public\*" OR targetfile_lower matches "*\windows\system32\*") AND (image_lower = "system" OR image_lower matches "*\system"), 1, 0)
| where IsCertutil=1 OR IsBitsadmin=1 OR IsEsentutl=1 OR IsRobocopy=1 OR IsPsExec=1 OR IsScpSftp=1 OR IsSMBDrop=1
| eval detection_method = if(IsSMBDrop=1, "SMB_Executable_Drop", if(IsCertutil=1, "Certutil_Transfer", if(IsBitsadmin=1, "BITSAdmin_Transfer", if(IsEsentutl=1, "Esentutl_Transfer", if(IsRobocopy=1, "Robocopy_Transfer", if(IsPsExec=1, "PsExec_Copy", if(IsScpSftp=1, "SCP_SFTP_Transfer", "Unknown")))))))
| fields _messageTime, hostname, username, process_image, command_line, target_filename, parent_image, detection_method
| sort by _messageTime descSumo Logic CSE query targeting Sysmon EventCode 1 (process create) and EventCode 11 (file create) to identify lateral tool transfer activity. Covers LOLBin abuse (certutil urlcache, bitsadmin /transfer, esentutl /cp, robocopy to UNC paths), transfer tool execution (psexec/paexec/scp/sftp/winscp targeting internal RFC1918 space), and SMB-triggered executable drops by the System process to high-risk directories.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate use of robocopy by IT teams for bulk file migrations between servers using UNC administrative shares
- Software deployment pipelines that invoke certutil -urlcache to pre-stage installers in Windows\Temp prior to execution
- Authorized remote management via psexec by helpdesk or operations teams connecting to RFC1918 hosts for troubleshooting
- Antivirus or EDR product updates writing signed executables to System32 or ProgramData via SYSTEM context
Other platforms for T1570
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Copy Executable to Remote ADMIN$ Share via SMB
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing '\\127.0.0.1\ADMIN$'. Sysmon Event ID 11 on the destination (localhost): FileCreated event for lateral_calc_test.exe in C:\Windows\Temp\ with Image=System (PID 4) — this is the SMB server process creating the file. Windows Security Event ID 5145 if object access auditing enabled: network share access to ADMIN$ from localhost.
- Test 2LOLBin Transfer via Certutil URL Cache to UNC Path Staging
Expected signal: Sysmon Event ID 1: certutil.exe with CommandLine containing '-urlcache', '-split', '-f', and the destination path. Sysmon Event ID 3: outbound network connection to 127.0.0.1:8080 (connection refused, but the attempt is logged). Windows Security Event ID 4688 if process command line auditing is enabled.
- Test 3BITSAdmin SMB File Transfer Between Internal Hosts
Expected signal: Sysmon Event ID 1: bitsadmin.exe with CommandLine containing '/transfer', 'LateralMoveJob', '/download', and the UNC source path '\\127.0.0.1\C$'. Sysmon Event ID 11: FileCreated for bits_lateral_test.exe in C:\Windows\Temp\. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from bitsadmin process. BITS Event ID 59 in Microsoft-Windows-Bits-Client/Operational log: job transfer started.
- Test 4Esentutl File Copy to Remote Share
Expected signal: Sysmon Event ID 1: esentutl.exe with CommandLine containing '/cp' and the source/destination paths. Sysmon Event ID 11: FileCreated for esentutl_lateral_test.exe in C:\Windows\Temp\, with Image=esentutl.exe as the initiating process. Windows Security Event ID 4688 if process auditing enabled.
- Test 5SCP Lateral File Transfer to Internal Host
Expected signal: Linux auditd EXECVE record: scp with arguments including the destination IP 192.168.1.100. Syslog entry from the SSH client showing connection attempt. On macOS: unified log entry from com.openssh.sshd. If Sysmon for Linux is deployed: ProcessCreate event for scp with CommandLine containing the internal IP.
References (14)
- https://attack.mitre.org/techniques/T1570/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- https://lolbas-project.github.io/lolbas/Binaries/Esentutl/
- https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
- https://news.sophos.com/en-us/2020/05/27/netwalker-fileless-ransomware-injected-via-reflective-loading/
- https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- https://www.secureworks.com/research/bronze-silhouette-activity-and-threat-intelligence
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-transfer
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.huntress.com/blog/analyzing-inc-ransom
- https://symantec-enterprise-blogs.security.com/threat-intelligence/medusa-ransomware
Unlock Pro Content
Get the full detection package for T1570 including response playbook, investigation guide, and atomic red team tests.