title: Lateral Tool Transfer (T1570)
id: df00tech-t1570
status: experimental
description: "Adversaries may transfer tools or other files between systems in a compromised environment. Once initial access is established, tools are staged across multiple hosts to support lateral movement, ransomware deployment, data exfiltration, or persistence. Transfer mechanisms include SMB via Windows Admin Shares (\\\\host\\ADMIN$, \\\\host\\C$), RDP file sharing, and native utilities such as scp, rsync, sftp, ftp, and curl. Living-Off-The-Land Binaries (LOLBins) including certutil, bitsadmin, esentutl, and robocopy are frequently abused to perform transfers while blending with legitimate activity. PsExec is widely used to copy and remotely execute binaries on target hosts. Real-world threat actors including BlackCat ransomware (psexec-based propagation), Netwalker (psexec), INC Ransomware (push to multiple endpoints), Medusa Group (PDQ Deploy for binary distribution), Emotet (network self-replication via service.exe), and Volt Typhoon (web shell replication across servers) have leveraged these techniques to propagate tools during intrusions."
references:
  - https://attack.mitre.org/techniques/T1570/
  - https://df00tech.com/detections/T1570
author: df00tech
date: 2026/04/21
tags:
  - attack.t1570
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "SCCM/Microsoft Endpoint Configuration Manager pushes software to endpoints via SMB, causing the System process to create executables in ProgramData and Windows directories — generates Branch C alerts"
  - "IT automation tools (Ansible WinRM, Chef, Puppet, PDQ Deploy) legitimately use robocopy, bitsadmin, and psexec for software distribution across managed hosts"
  - "Backup agents (Veeam, Acronis, Commvault) use certutil and bitsadmin for scheduled transfer tasks, and robocopy for file replication jobs"
  - Developer workflows using scp or sftp to deploy artifacts to internal build/staging servers from workstations
  - Security and vulnerability scanning tools that copy lightweight agents to remote hosts for assessment purposes
level: high