DET0745: Detection of Lateral Tool Transfer
DET0745 is a detection strategy for finding lateral transfer of tools or files in ICS environments. The business issue is not the file copy alone; it is th...
Analyst context for executives and security teams
DET0745 is a detection strategy for finding lateral transfer of tools or files in ICS environments. The business issue is not the file copy alone; it is that adversaries may stage tooling inside the environment to enable later movement or remote execution. For security leaders, this makes file movement between internal systems an important control point for protecting operational continuity and supporting timely incident containment.
Executive priority
Prioritize this as an operational resilience and incident-readiness question: can the organization see unusual internal file transfers that may precede broader compromise in control system environments? Leaders should ask whether SOC and IR teams have evidence of system-to-system file movement, whether file sharing paths are governed, and whether investigations can quickly distinguish authorized engineering or administrative activity from suspicious staging behavior.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics, so teams should anchor validation to the related ICS technique T0867, Lateral Tool Transfer. SOC and detection engineering should test whether monitoring can identify tools or other files being copied laterally between internal systems, including use of inherent file sharing protocols and connected network shares such as SMB where present. IR teams should be prepared to reconstruct source host, destination host, user or service context, filename/path, timestamp, and any follow-on execution evidence, without assuming that every file transfer is malicious.
Likely telemetry
- Internal network flow or protocol telemetry for file sharing activity where collected
- File share, server, or endpoint logs showing file create/write/copy events
- Authentication and access logs tied to file share usage
- Endpoint process and command activity associated with file transfer utilities or administrative tooling
- Asset and network segmentation context for ICS-related hosts and internal shares
Detection direction
- Validate visibility for lateral file movement between internal systems rather than only ingress/egress traffic.
- Baseline expected engineering, administrative, backup, and software distribution transfers to reduce false positives.
- Correlate file transfer events with authentication context, unusual source-destination pairs, new or uncommon filenames, and subsequent remote execution indicators when available.
- Pay attention to blind spots where ICS assets, jump hosts, shared folders, or legacy systems do not produce endpoint logs or are excluded from centralized monitoring.
- Use the relationship to T0867 as scope: this detection strategy is about lateral tool/file staging, not proof of compromise by itself.
Mitigation priorities
- Inventory and govern internal file shares and permitted transfer paths that touch ICS-related systems.
- Limit file share access to required users, services, and systems using least privilege.
- Ensure logging is enabled and retained for file transfer, authentication, and endpoint activity needed for investigations.
- Segment and monitor pathways between administrative, enterprise, and control-system environments where applicable.
- Prepare IR playbooks for triaging suspicious internal file transfer, including containment decisions that account for operational safety and continuity.
Analyst notes and limits
This take is based on a detection-strategy object with sparse official fields and one ATT&CK relationship indicating it detects ICS technique T0867, Lateral Tool Transfer. The practical value is in validating whether defenders can observe and investigate internal staging of tools or files, especially where file sharing protocols and network shares are used.
ATT&CK did not provide an official description, detection guidance, tactics, or platforms for DET0745 in the supplied fields. Local architecture, approved administrative workflows, ICS asset logging capability, and network segmentation must be reviewed before setting detection logic or risk priority. No active exploitation, attribution, or guaranteed detection coverage is implied.
Detection of Lateral Tool Transfer
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0867 | Lateral Tool Transfer | This object detects Lateral Tool Transfer. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c8cf5ceefe21… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0745Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.