1. Home
  2. ATT&CK Techniques
  3. T1105 Ingress Tool Transfer

T1105 Ingress Tool Transfer Mappings

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-4 Information Flow Enforcement Protects T1105 Ingress Tool Transfer
CA-7 Continuous Monitoring Protects T1105 Ingress Tool Transfer
CM-2 Baseline Configuration Protects T1105 Ingress Tool Transfer
CM-6 Configuration Settings Protects T1105 Ingress Tool Transfer
CM-7 Least Functionality Protects T1105 Ingress Tool Transfer
SC-7 Boundary Protection Protects T1105 Ingress Tool Transfer
SI-3 Malicious Code Protection Protects T1105 Ingress Tool Transfer
SI-4 System Monitoring Protects T1105 Ingress Tool Transfer
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1105 Ingress Tool Transfer
Comments
This control may detect usage of malware droppers and creation of suspicious files on the host machine. The following alerts may be generated: "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows
azure_defender_for_storage Azure Defender for Storage technique_scores T1105 Ingress Tool Transfer
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage
azure_defender_for_storage Azure Defender for Storage technique_scores T1105 Ingress Tool Transfer
Comments
"When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file." This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-storage-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurestorage
azure_sentinel Azure Sentinel technique_scores T1105 Ingress Tool Transfer
Comments
The Azure Sentinel Hunting "Crypto currency miners EXECVE" query can detect cryptocurrency mining software downloads through EXECVE. The following Azure Sentinel Analytics queries can identify potentiall malicious tool transfer: "Linked Malicious Storage Artifacts" may identify potential adversary tool downloads that are missed by anti-malware. "Powershell Empire cmdlets seen in command line" detects downloads via Empire. "New executable via Office FileUploaded Operations" can identify ingress of malicious code and attacker tools to Office services such as SharePoint and OneDrive, but with potential for high false positive rates from normal user upload activity.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
azure_defender_for_app_service Azure Defender for App Service technique_scores T1105 Ingress Tool Transfer
Comments
This control detects binary downloads via certutil, monitors for FTP access from IP addresses found in threat intelligence, monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin. Temporal factor is unknown.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
  2. https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction
  3. https://azure.microsoft.com/en-us/services/app-service/
  4. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1105 Ingress Tool Transfer
Comments
This control may scan created files for malware and proceed to quarantine and/or delete the file. This control is dependent on a signature being available.
References
  1. https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware
  2. https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples
microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1105 Ingress Tool Transfer
Comments
This control may scan created files for malware. This control is dependent on a signature being available.
References
  1. https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware
  2. https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples