Atomic Red Team
Description
Successful execution of Atomic Red Team T1105 - Ingress Tool Transfer. Also included Invoke-CertUtil using different command switches.
MITRE ATT&CK Techniques
| ID | Technique | Tactic |
|---|---|---|
| T1105 | Ingress Tool Transfer | Command And Control |
Environment Details
| Field | Value |
|---|---|
| Environment | attack_range |
| Directory | atomic_red_team |
| Test Date | 2021-03-25 |
Datasets
The following datasets were collected during this attack simulation:
T1105_explorer-Windows-Security
- Path:
/datasets/attack_techniques/T1105/atomic_red_team/T1105_explorer-windows-security.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Security
Windows-Sysmon_curl_upload
- Path:
/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows-Sysmon_curl
- Path:
/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows-Sysmon
- Path:
/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Related Detections
The following detections in our security content repository use this attack data for testing:
| Detection Name | Type | Source | MITRE ATT&CK | Analytic Story |
|---|---|---|---|---|
| Linux Ingress Tool Transfer Hunting | Hunting |
Endpoint | T1105 | Ingress Tool Transfer, Linux Living Off The Land, XorDDos |
| Linux Proxy Socks Curl | TTP |
Endpoint | T1090, T1095 | Linux Living Off The Land, Ingress Tool Transfer |
| Linux Ingress Tool Transfer with Curl | Anomaly |
Endpoint | T1105 | Ingress Tool Transfer, Linux Living Off The Land, XorDDos |
| Linux Curl Upload File | TTP |
Endpoint | T1105 | Linux Living Off The Land, Data Exfiltration, Ingress Tool Transfer |
| Windows Curl Upload to Remote Destination | TTP |
Endpoint | T1105 | Compromised Windows Host, Ingress Tool Transfer, Cisco Network Visibility Module Analytics, PromptLock, Microsoft WSUS CVE-2025-59287 |
| WinRAR Spawning Shell Application | TTP |
Endpoint | T1105 | Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831 |
| Windows File Download Via CertUtil | TTP |
Endpoint | T1105 | Living Off The Land, Ingress Tool Transfer, ProxyNotShell, DarkSide Ransomware, Forest Blizzard, Flax Typhoon, Compromised Windows Host, CISA AA22-277A, Cisco Network Visibility Module Analytics |
| Windows Curl Download to Suspicious Path | TTP |
Endpoint | T1105 | APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, Black Basta Ransomware, China-Nexus Threat Activity, Forest Blizzard, Compromised Windows Host, Salt Typhoon, Ingress Tool Transfer, IcedID, Cisco Network Visibility Module Analytics |
| Wget Download and Bash Execution | TTP |
Deprecated | T1105 | Log4Shell CVE-2021-44228, Compromised Windows Host, Ingress Tool Transfer |
| Curl Download and Bash Execution | TTP |
Deprecated | T1105 | Compromised Windows Host, Log4Shell CVE-2021-44228, Linux Living Off The Land, Ingress Tool Transfer |
Usage Instructions
Replay with Splunk Attack Data
Replay attack data with replay.py from Splunk Attack Data.
1python replay.py --dataset /datasets/attack_techniques/T1105/atomic_red_team/T1105_explorer-windows-security.log --index attack_data
Manual Import
- Download the dataset files from the paths listed above
- Configure your Splunk instance with the appropriate sourcetypes
- Import the logs using the Splunk Add Data wizard
Related Content
Find more detections and analytics for this attack technique in our security content repository.
Source: GitHub | Version: 1.0