Transfer
Intent
This pattern re-links an object to update a relationship or to re-position it.
Motivation
There are numerous instances of adversaries changing the relationship between objects, such as by transferring objects from one location to another. Transferring objects is particularly prevalent since it mimics many movement forms and re-configurations in the physical and logical dimensions.
Possible use cases
Use Transfer when:
- Moving objects from one location to another, physical or logical.
- Moving container objects to mimic data transfers.
- Sending or relaying objects to another party without keeping a local copy.
- Delivering (malicious) objects to a remote party.
- Fetching an object from another location without leaving a remote copy.
- Performing true theft, where the objects will not remain in their original location.
- Swapping an execution object that is invoked by another entity.
- Changing target of configuration objects, thereby affecting the flow of execution and system behaviors.
- Changing connections and communication channels of physical devices or networks.
- Diverting connections, communication channels, and execution flows.
- Transferring ownership of objects.
- Re-assigning authentication objects.
Code example
asset Host {
| transferFile >
A> dirs.files / ~sendTo.dirs.dir
R> dirs / ~files
| moveFile >
A> dirs / ~dirs.files.dir
R> dirs / ~files
}
asset Network {}
asset File {}
asset Directory {}
associations {
Host [hosts] * <-- Placement --> 1 [network] Network
Host [receiveFrom] * <-- Party --> [sendTo] * Host
Host [host] * <-- Storage --> * [dirs] Directory
Directory [dir] 1 <-- Contains --> * [files] File
}
Possible synonyms
•acquire •AITM •backup •bring •create •copy •deliver •distribute •divert •download •drop •exfiltrate •export •forward •hijack •hook •implant •import •inject •insert •install •intercept •load •move •overwrite •place •point •poison •propagate •provide •push •redirect •reflect •relay •remove •replace •replay •request •retarget •retrieve •send •set •specify •spread •setup •steal •store •transfer •transmit •update •upgrade •upload •write
Occurrences
ATT&CK
•Account manipulation •Acquire access •Adversary-in-the-middle •Archive collected data •Automated exfiltration •BITS jobs •Browser session hijacking •Boot or logon autostart execution •Content injection •Create or modify system process •Command and scripting interpreter •Communication through removable media •Compromise infrastructure •Content injection •Data destruction •Data encrypted for impact •Data from removable drive •Data staged •Data transfer limits •Deploy container •Direct volume access •Disk wipe •Domain policy modification •Email collection •Endpoint denial of service •Escape to host •Event triggered execution •Execution guardrails •Exfiltration over alternative protocol •Exfiltration over C2 channel •Exfiltration over other network medium •Exfiltration over physical medium •Exfiltration over web service •Exploitation for client execution •Exploitation for credential access •Exploitation for privilege escalation •Financial theft •Forced authentication •Hide artifacts •Hijack execution flow •Impair defenses •Implant internal image •Ingress tool transfer •Input capture •Internal spearphishing •Inter-process communication •Lateral tool transfer •Log enumeration •Masquerading •Modify authentication process •Modify cloud computer infrastructure •Modify system image •Multi-factor authentication request generation •Multi-stage channel •Network denial of service •Network sniffing •Obfuscated files or information •Office application startup •Phishing •Phishing for information •Pre-OS boot •Process injection •Remote service session hijacking •Replication through removable media •Rootkit •Scheduled transfer •Server software component •Serverless execution •Stage capabilities •Steal application access token •Subvert trust controls •Supply chain compromise •Taint shared content •Transfer data to cloud account •Unsecured credentials •Use alternate authentication material •User execution •Video capture •Virtualization/sandbox evasion