Analytics Story: Ingress Tool Transfer

Date: 2021-03-24 ID: b3782036-8cbd-11eb-9d8e-acde48001122 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.

Why it matters

Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
Curl Download and Bash Execution Ingress Tool Transfer TTP
Detect Certify Command Line Arguments Steal or Forge Authentication Certificates, Ingress Tool Transfer TTP
Detect Certipy File Modifications Steal or Forge Authentication Certificates, Archive Collected Data TTP
Linux Curl Upload File Ingress Tool Transfer TTP
Linux Ingress Tool Transfer Hunting Ingress Tool Transfer Hunting
Linux Ingress Tool Transfer with Curl Ingress Tool Transfer Anomaly
Linux Proxy Socks Curl Proxy, Non-Application Layer Protocol TTP
Suspicious Curl Network Connection Ingress Tool Transfer TTP
Wget Download and Bash Execution Ingress Tool Transfer TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1