Remote File Copy

Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or onto the victim’s device.

ID: T1544
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Command And Control
Platforms: Android, iOS
Version: 1.0
Created: 21 January 2020
Last Modified: 21 January 2020

Procedure Examples

ID Name Description
S0485 Mandrake

Mandrake can install attacker-specified components or applications.[1]

S0407 Monokle

Monokle can download attacker-specified files.[2]

S0418 ViceLeaker

ViceLeaker can download attacker-specified files.[3]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Applications with network connections to unknown domains or IP addresses could be further scrutinized to detect unauthorized file copying. Further, some application vetting services may indicate precisely what content was requested during application execution.

Detection

Downloading remote files is common application behavior and is therefore typically undetectable to the end user.

References