Find sigma rule
Attack: Ingress Tool Transfer
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
On Windows, adversaries may use various utilities to download tools, such as copy
, finger
, certutil, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString()
and Invoke-WebRequest
. On Linux and macOS systems, a variety of utilities also exist, such as curl
, scp
, sftp
, tftp
, rsync
, finger
, and wget
.(Citation: t1105_lolbas)
Adversaries may also abuse installers and package managers, such as yum
or winget
, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms
protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (typically after interacting with Phishing lures).(Citation: T1105: Trellix_search-ms)
Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service’s web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim’s machine.(Citation: Dropbox Malware Sync)
MITRE
Tactic
- command-and-control
technique
- T1105
Test : iwr or Invoke Web-Request download
OS
- windows
Description:
Use ‘iwr’ or “Invoke-WebRequest” -URI argument to download a file from the web. Note: without -URI also works in some versions.
Executor
command_prompt
Sigma Rule
-
proc_creation_win_powershell_invoke_webrequest_download.yml (id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc)
-
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml (id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d)
-
proc_creation_win_susp_script_exec_from_temp.yml (id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33)
-
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)