Skip to content

DET0060 Detect Ingress Tool Transfers via Behavioral Chain

Item Value
ID DET0060
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1105 (Ingress Tool Transfer)

Analytics

Windows

AN0165

Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded).

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
ParentProcessName Tune for known good updaters (e.g., ChromeUpdate, OneDrive)
DestinationIPCategory Allow filtering by internal vs external IP blocks
FilePathRegex Focus on uncommon file drop paths (e.g., C:\Users\Public)

Linux

AN0166

Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL connect, execve, write
File Creation (DC0039) auditd:SYSCALL file creation/modification
Network Traffic Flow (DC0078) iptables:LOG TCP connections
Mutable Elements
Field Description
ToolName Match on curl, wget, rsync, etc. based on environment
DownloadExtension Tunable filter to limit to suspicious file types (.sh, .bin, .elf)

macOS

AN0167

Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
File Creation (DC0039) macos:unifiedlog file write/create
Network Connection Creation (DC0082) macos:unifiedlog connection open
Mutable Elements
Field Description
DirectoryTargeted Restrict to high-risk directories like /Users/Shared, /tmp/
ProcessPath May tune based on custom tooling or MDM activity

ESXi

AN0168

Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:hostd command execution
File Creation (DC0039) esxi:vmkernel file write
Mutable Elements
Field Description
ToolName Tune for wget, curl, netcat, and scripting languages in use
DatastorePath Filter or prioritize specific paths (e.g., /vmfs/volumes/)

Network Devices

AN0169

Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) NSM:Flow connection metadata
File Creation (DC0039) snmp:syslog firmware write/log event
Mutable Elements
Field Description
PayloadVolumeThreshold Tune based on expected update size vs anomalous bulk data transfers
ProtocolUsed Flag unexpected protocols like TFTP, FTP, HTTP