# T1105 Ingress Tool Transfer

-----------------------------------------------------------------------

## Technique Description

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). 

Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)

On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)

## Technique Detection

Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as [ftp](https://attack.mitre.org/software/S0095), that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Specifically, for the finger utility on Windows and Linux systems, monitor command line or terminal execution for the finger command. Monitor network activity for TCP port 79, which is used by the finger utility, and Windows <code>netsh interface portproxy</code> modifications to well-known ports such as 80 and 443. Furthermore, monitor file system for the download/creation and execution of suspicious files, which may indicate adversary-downloaded payloads. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Network Traffic:** Network Traffic Flow

  * **Network Traffic:** Network Connection Creation

  * **File:** File Creation

  * **Network Traffic:** Network Traffic Content

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has downloaded additional malware onto compromised hosts.(Citation: CrowdStrike AQUATIC PANDA December 2021)| 
| Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has downloaded additional files and payloads onto a compromised host following initial access.(Citation: Uptycs Confucius APT Jan 2021)(Citation: TrendMicro Confucius APT Aug 2021)| 
| LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) had downloaded additional tools to a compromised host.(Citation: MalwareBytes LazyScripter Feb 2021)| 
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has the curl command and batch scripts to download new tools.(Citation: Intezer TeamTNT September 2020)| 
| Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has downloaded additional tools and malware onto compromised hosts.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)| 
| IndigoZebra | [IndigoZebra](https://attack.mitre.org/groups/G0136) has downloaded additional files and tools from its C2 server.(Citation: Checkpoint IndigoZebra July 2021)| 
| BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has downloaded additional files and tools onto a compromised host.(Citation: ESET BackdoorDiplomacy Jun 2021)| 
| Nomadic Octopus | [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has used malicious macros to download additional files to the victim's machine.(Citation: ESET Nomadic Octopus 2018) | 
| Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has downloaded malicious DLLs which served as a [ShadowPad](https://attack.mitre.org/software/S0596) loader.(Citation: ESET Exchange Mar 2021)| 
| Ajax Security Team | [Ajax Security Team](https://attack.mitre.org/groups/G0130) has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.(Citation: Check Point Rocket Kitten)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has downloaded additional executables following the initial infection stage.(Citation: Recorded Future REDDELTA July 2020)| 
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used tools to download malicious files to compromised hosts.(Citation: Zscaler APT31 Covid-19 October 2020)| 
| TA551 | [TA551](https://attack.mitre.org/groups/G0127) has retrieved DLLs and installer binaries for malware execution from C2.(Citation: Unit 42 TA551 Jan 2021)| 
| HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.(Citation: Microsoft HAFNIUM March 2020) | 
| Volatile Cedar | [Volatile Cedar](https://attack.mitre.org/groups/G0123) can deploy additional tools.(Citation: ClearSky Lebanese Cedar Jan 2021)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used LNK files to download remote files to the victim's network.(Citation: ATT Sidewinder January 2021)(Citation: Cyble Sidewinder September 2020)| 
| Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) can deploy additional components or tools as needed.(Citation: ESET EvilNum July 2020)| 
| Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has downloaded additional scripts, malware, and tools onto a compromised host.(Citation: Crowdstrike Indrik November 2018)(Citation: Symantec WastedLocker June 2020)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) downloaded additional tools, such as [TEARDROP](https://attack.mitre.org/software/S0560) malware and [Cobalt Strike](https://attack.mitre.org/software/S0154), to the compromised host following initial compromise.(Citation: FireEye SUNBURST Backdoor December 2020)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has downloaded additional tools including [PsExec](https://attack.mitre.org/software/S0029) directly to endpoints.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) can download additional files to the infected system.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has remotely copied tools and malware onto targeted systems.(Citation: Cycraft Chimera April 2020)| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used tools to deploy additional payloads to compromised hosts.(Citation: BlackBerry Bahamut)| 
| Whitefly | [Whitefly](https://attack.mitre.org/groups/G0107) has the ability to download additional tools from the C2.(Citation: Symantec Whitefly March 2019)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) used malware to download additional malicious files to the target system.(Citation: Talos Rocke August 2018)	| 
| Sharpshooter | [Sharpshooter](https://attack.mitre.org/groups/G0104) downloaded additional payloads after a target was infected with a first-stage downloader.(Citation: McAfee Sharpshooter December 2018)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has uploaded and downloaded files to utilize additional plugins.(Citation: Talos Frankenstein June 2019)| 
| APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has downloaded binary data from a specified domain after the malicious document is opened.(Citation: QiAnXin APT-C-36 Feb2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) used [certutil](https://attack.mitre.org/software/S0160) to download additional files.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Group IB APT 41 June 2021)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has downloaded additional scripts, tools, and malware onto victim systems.(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and [HTRAN](https://attack.mitre.org/software/S0040).(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)| 
| TA505 | [TA505](https://attack.mitre.org/groups/G0092) has downloaded additional malware to execute on victim systems.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: ProofPoint SettingContent-ms July 2018)| 
| Silence | [Silence](https://attack.mitre.org/groups/G0091) has downloaded additional modules and malware to victim’s machines.(Citation: Group IB Silence Sept 2018)	| 
| WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has downloaded PowerShell code from the C2 server to be executed.(Citation: Lab52 WIRTE Apr 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has downloaded tools to compromised hosts.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.(Citation: FireEye APT38 Oct 2018)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used a delivered trojan to download additional files.(Citation: TrendMicro Tropic Trooper May 2020)| 
| Rancor | [Rancor](https://attack.mitre.org/groups/G0075) has downloaded additional malware, including by using [certutil](https://attack.mitre.org/software/S0160).(Citation: Rancor Unit42 June 2018)| 
| Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016) The group's JavaScript backdoor is also capable of downloading files.(Citation: Morphisec Cobalt Gang Oct 2018)| 
| Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can download additional files from C2 servers.(Citation: Unit 42 Gorgon Group Aug 2018)| 
| Elderwood | The Ritsol backdoor trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) can download files onto a compromised host from a remote location.(Citation: Symantec Ristol May 2012)| 
| PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.(Citation: Microsoft PLATINUM June 2017)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has downloaded additional scripts and files from adversary-controlled servers.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can upload additional files to the victim’s machine.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)| 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has downloaded additional files and programs from its C2 server.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)	
| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) has downloaded second stage malware from compromised websites.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid BLUELIGHT August 2021)(Citation: Volexity InkySquid RokRAT August 2021)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used remote code execution to download subsequent payloads.(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender FIN8 July 2021)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has downloaded additional code and files from servers onto victims.(Citation: Unit 42 Magic Hound Feb 2017) | 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used various tools to download files, including DGet (a similar tool to wget).(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.(Citation: Volexity OceanLotus Nov 2017)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) can download remote files onto victims.(Citation: FireEye APT34 Dec 2017)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has downloaded additional malware and tools onto a compromised host.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Microsoft Actinium February 2022)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.(Citation: FireEye FIN7 April 2017)(Citation: DOJ FIN7 Aug 2018)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has installed updates and new malware on victims.(Citation: PWC Cloud Hopper April 2017)(Citation: District Court of NY APT10 Indictment December 2018)| 
| Winnti Group | [Winnti Group](https://attack.mitre.org/groups/G0044) has downloaded an auxiliary program named ff.exe to infected machines.(Citation: Kaspersky Winnti April 2013)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) payloads download additional files from the C2 server.(Citation: Securelist Dropping Elephant)(Citation: TrendMicro Patchwork Dec 2017)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has copied and installed tools for operations once in the victim environment.(Citation: US-CERT TA18-074A)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has downloaded files, malware, and tools from its C2 onto a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: ClearSky Lazarus Aug 2020)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: Google TAG Lazarus Jan 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has downloaded additional malware and tools, including through the use of `certutil`, onto a compromised host .(Citation: Dell TG-3390)(Citation: Trend Micro DRBControl February 2020)| 
| APT18 | [APT18](https://attack.mitre.org/groups/G0026) can upload a file to the victim’s machine.(Citation: PaloAlto DNS Requests May 2016)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that can copy files to remote machines.(Citation: FireEye Clandestine Fox)| 
| Molerats | [Molerats](https://attack.mitre.org/groups/G0021) used executables to download malicious files from different sources.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020) | 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has downloaded additional tools, such as [TEARDROP](https://attack.mitre.org/software/S0560) malware and [Cobalt Strike](https://attack.mitre.org/software/S0154), to a compromised host following initial access.(Citation: FireEye SUNBURST Backdoor December 2020)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has used first-stage payloads that download additional malware from C2 servers.(Citation: Microsoft DUBNIUM June 2016)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used shellcode to download Meterpreter after compromising a victim.(Citation: ESET Turla Mosquito May 2018)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Playbook Dec 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used tools to download files to compromised machines.(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1105)

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

  * [T1105_Lolbas](https://lolbas-project.github.io/#t1105), LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022.

  * [Ptsecurity Cobalt Dec 2016](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf), Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 29 June 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, SSgt Sengsouriya Kapkeo

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

* **APT28**
    - APT 28 will attempt to transfer tools from external systems they control into a compromised network or system using common transfer protocols or web protocols. Opened attachments may reach out for additional tools or VBA scripts to further assist in their compromise. 

* **Turla**
    - Turla will utilize various file hosting repositories to move tools into a compromised environment. Turla is shifting from use of custom tools to generic opensource tools. 

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | 2 | 3, 5 |
| Turla | X | 1, 2 |

## Detection Blindspots

* Valid hosting domains can be used for both legitimate and non-legitimate downloads.
* Incorrect sensor placement may make it difficult to identify this TTP.

## Analytical References

  * [Turla VirtualBox Exploit (AcidBox)](https://unit42.paloaltonetworks.com/acidbox-rare-malware/)
  * [Turla Adobe](https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/)
  * [Cyber Advisory: Snakemackerel](https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50)
  * [Sofacy Playbook Viewer (github)](https://pan-unit42.github.io/playbook_viewer/?pb=sofacy)
  * [Turla Mosquito Shift towards Generic Tools (welivesecurity)](https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/)
  * [ESET Turla Mosquito 2018 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf)
  * [Turla Mosquito Backdoor (sudonull)](https://sudonull.com/post/60714-ESET-Turla-band-Mosquito-backdoor-used-in-Eastern-Europe-ESET-NOD32-Blog)
  * [Turla Mosquito Indicators of Compromise (github)](https://github.com/eset/malware-ioc/tree/master/turla#mosquito-indicators-of-compromise)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Operators should monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.
- Remote File Copy occurs in tandem with many other techniques, most frequently with Windows Admin Shares (T1077). BITS Jobs (T1197) is another technique that is conceptually similar and frequently occurs in tandem with Remote File Copy. Exfiltration Over Alternative Protocol (T1048) and Data Staged (T1074) are additional techniques that frequently show up with Remote File Copy, suggesting that the technique occasionally plays a role in exfiltration.
- There are a high volume of detections where Remote File Copy occurs with Process Injection (T1055) and a smaller volume occurring with Disabling Security Tools (T1089), both likely due to TrickBot. Some other interesting associations include DLL Search Order Hijacking (T1038), Domain Trust Discovery (T1482), and Process Hollowing (T1093).

#### Analytic 1

  * **Information:** Network detections for specific LOL bins

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** Since this is ingress, look filter out internal dstIPs and look for odd parent processes, file creations.

  * **Query:** ```Event_id : 3 AND image : (*bitsadmin.exe OR *rsync.exe OR *scp.exe OR *sftp.exe OR *certutil.exe OR *nc.exe OR *MpCmdRun.exe)```
  * **Query:** ```Event_id : 11 AND image : (*bitsadmin.exe OR *rsync.exe OR *scp.exe OR *sftp.exe OR *certutil.exe OR *nc.exe OR *MpCmdRun.exe)```

#### Analytic 2

  * **Information:** Detect second-stage malware destination

  * **Source:** Memory

  * **Tool:** Volatility

  * **Notes:** Req. Admin. Search for the registry keys/values below.

  * **Registry - sslwin.exe:**
    * Key: ```HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleIndexer```
    * Value: ```%AppData%\Platform\sslwin.exe```

  * **Registry - sslwin.exe:**
    * Key: ```HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AudioMgr```
    * Value: ```%AppData%\Video\videodrv.exe```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- <span style="color:red">This is not an ideal way to hunt. If possible, this could be utilized as a way to identify initial access/further actions on objectives while scoping an incident. However, should not be the primary focus of a hunt</span>

- Monitor for file creation and files transferred into the network.

- Get with the MP to identify appropriate websites (such as dropbox, google drive etc...) that are commonly used within the network. This will help you identify any anomalies in traffic

- It is suspected that Turla compromised a legitimate Adobe download service. Be aware that legitimate services may be used to.

- Anti-virus software has the same characteristics so some false positives may be generated. Modify your query to account for AV software.

- Hard-coded IP URLs should be investigated

- File type extensions may be used to assist in narrowing results some examples may include, (.pdf, .exe, .py, .ps, .ps1)

#### Analytic 1

  * **Information:** 'Identify connections to legitimate websites followed by a connection to a website that hosts content (Dropbox, Google Drive, etc.)'

   * **Source:** 'PCAP, sessions*'

   * **Tool:** 'Arkime, Kibana'

   * **Notes:**  
    * 'MP requests will need to be submitted to identify sites that are allowed to be used to host content'
    * 'Turla has been known to use Google services'
    * 'Exporting with unique counts and some least frequency analysis might have to be conducted to identify anomalies'
    
  * **Arkime Query:** `http.uri == *drive.google*`
  
  * **Arkime Query:** `http.uri == EXISTS!` 
  
  * **Kibana Query:** `http.uri: *drive.google*`
  
  * **Kibana Query:** `http.uri: *`

#### Analytic 2

  * **Information:** 'Identify content type as a GET request may reach out for file, compressed or not compressed.'

  * **Source:** 'PCAP'

  * **Tool:** 'Arkime, Kibana'

  * **Notes:** 'Identifying HTTP referrals from legitimate sites to content hosting sites should be investigated'

  * **Arkime Query:** `http.bodymagic == application/zip <modify as needed> && http.statuscode == <200, 3XX>`

#### Analytic 3

  * **Information:** 'Attempt to identify successful communications to external resources. GET request that may return attached files or scripts should be analyzed.'

  * **Source:** 'PCAP, sessions*'

  * **Tool:** 'Arkime, Kibana'

  * **Notes:** 'Admin accounts should be identified and their activities should be tracked'

  * **Arkime Query:** `http.method == GET && http.statuscode == 200 && (http.bodymagic == EXISTS! || http.content-type == EXISTS!)`
  
  * **Kibana Query:** `(http.method: <GET or POST> AND http.statuscode: 200) AND (http.bodyMagic: * OR http.request-type: *)`
  
#### Analytic 4

  * **Information:** 'Search for other file transfer protocols'

  * **Source:** 'PCAP, sessions*'

  * **Tool:** 'Arkime, Kibana'

  * **Notes:** Not a complete list

  * **Arkime:** ```protocols == [ftp, sftp, tftp, ssh] ```

  * **Kibana Query:** ```protocol:(ftp or sftp or tftp or ssh)```

