forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ingress_tool_transfer.yml
28 lines (28 loc) · 1.33 KB
/
ingress_tool_transfer.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
name: Ingress Tool Transfer
id: b3782036-8cbd-11eb-9d8e-acde48001122
version: 1
date: '2021-03-24'
author: Michael Haag, Splunk
description: Adversaries may transfer tools or other files from an external system
into a compromised environment. Files may be copied from an external adversary controlled
system through the Command And Control channel to bring tools into the victim network
or through alternate protocols with another tool such as FTP.
narrative: Ingress tool transfer is a Technique under tactic Command And Control.
Behaviors will include the use of living off the land binaries to download implants
or binaries over alternate communication ports. It is imperative to baseline applications
on endpoints to understand what generates network activity, to where, and what is
its native behavior. These utilities, when abused, will write files to disk in world
writeable paths.\ During triage, review the reputation of the remote public destination
IP or domain. Capture any files written to disk and perform analysis. Review other
parrallel processes for additional behaviors.
references:
- https://attack.mitre.org/techniques/T1105/
tags:
analytic_story: Ingress Tool Transfer
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection