T0867: Lateral Tool Transfer
Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. [1] Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. [1]
In control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.
Analyst context for executives and security teams
Lateral Tool Transfer matters in ICS because moving files between internal systems is often how an intrusion shifts from initial access into operationally important assets. Even when the file copy itself looks like routine administration, it can stage malware or tools on workstations, control servers, application servers, VPN servers, jump hosts, and field I/O paths that support industrial operations.
Executive priority
Treat this as a resilience and evidence question: can the organization prove which file transfers are normal inside the ICS environment, especially across jump hosts, VPN-connected paths, and control/application servers? Historical ATT&CK relationships tie this behavior to major ICS-relevant campaigns and malware, so leadership should prioritize visibility and controlled file-sharing paths without disrupting real-time control or safety communications.
Technical view
SOC, detection engineering, and IR teams should validate monitoring for lateral file movement over inherent file-sharing protocols such as SMB and access to connected network shares. Because the ATT&CK object has no official detection text, no specified tactics, and no technique platforms, local engineering is required: baseline approved administrative transfers, watch for unexpected tool staging between ICS assets, and correlate file-copy evidence with remote execution or new process activity where telemetry exists. Relationship context highlights Workstations, Control Servers, Application Servers, VPN Servers, Jump Hosts, and Field I/O as relevant assets to prioritize.
Likely telemetry
- SMB and other file-sharing protocol traffic within industrial networks
- Network share access logs and file copy events where available
- File creation, modification, and transfer metadata on ICS workstations, servers, jump hosts, and VPN-adjacent systems
- Authentication and session logs tied to share access or lateral administrative movement
- Network IDS/NIPS alerts at ICS network boundaries and segmentation points
Detection direction
- Use DET0745, Detection of Lateral Tool Transfer, as the ATT&CK-linked detection strategy reference, but validate the actual analytic logic locally because no official detection text is supplied.
- Baseline normal engineering and operator file-transfer patterns, then alert on unusual source/destination pairs, new tools staged on critical ICS assets, or transfers through jump hosts and VPN paths inconsistent with approved workflows.
- Tune carefully for legitimate maintenance, patching, diagnostics, and vendor support activity to reduce false positives.
- Do not assume SMB-only coverage; the description references SMB and other file-sharing protocols.
- Correlate transfer activity with subsequent remote execution, service creation, or process starts when those data sources are available.
Mitigation priorities
- Prioritize visibility and control of file-sharing routes between corporate, remote access, and ICS network zones.
- Apply M0931 Network Intrusion Prevention at network boundaries using signatures or rules that are tested not to disrupt real-time control or safety-related communications.
- Restrict and document authorized network shares and administrative transfer paths, especially involving jump hosts, VPN servers, control servers, and application servers.
- Review incident response playbooks for how to identify, contain, and preserve evidence of lateral file staging in ICS environments.
- Use compensating monitoring where endpoint agents are not appropriate for embedded or safety-sensitive assets.
Analyst notes and limits
ATT&CK relationships show this technique used by several ICS-relevant campaigns and software entries, including the 2015 and 2016 Ukraine Electric Power Attacks, the Triton Safety Instrumented System Attack, WannaCry, NotPetya, Stuxnet, Bad Rabbit, and INCONTROLLER. That relationship context supports prioritizing this behavior in industrial environments, but it does not by itself indicate current activity in any specific organization.
The supplied ATT&CK object does not provide official detection guidance, platforms, or tactics. Asset relationships provide useful prioritization context, but coverage decisions require local network architecture, approved maintenance workflows, and available telemetry validation.
Lateral Tool Transfer
Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. [1] Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. [1]
In control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0603: Stuxnet
Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]
S0368: NotPetya
NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[1][2][3][4]
S1045: INCONTROLLER
INCONTROLLER is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. INCONTROLLER has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed INCONTROLLER was developed by CHERNOVITE.[1][2][3][4][5]
S0366: WannaCry
S0606: Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]
C0025: 2016 Ukraine Electric Power Attack
2016 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by Sandworm Team.[1][2]
C0028: 2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
C0030: Triton Safety Instrumented System Attack
Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.[1] The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.[2] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f75dc6a7e4b0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Enterprise ATT&CK
Enterprise ATT&CK Enterprise ATT&CK Lateral Tool Transfer Retrieved. 2019/10/27 Lateral Tool Transfer Retrieved. 2019/10/27
Open source URL -
[2]
mitre-attack T0867Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.