ATT&CK coverage › Technique
Ingress Tool Transfer T1105
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
Events covered
14 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 69 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (27 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (563 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.
Common exclusions (24 distinct)
Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 58 rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Command Line Execution with Suspicious URL and AppData Strings
- Curl Download And Execute Combination
- File Download And Execution Via IEExec.EXE
- File Download From Browser Process Via Inline URL
- File Download From IP Based URL Via CertOC.EXE
- File Download Using Notepad++ GUP Utility
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File Download via CertOC.EXE
- File Download Via Windows Defender MpCmpRun.EXE
- File Download with Headless Browser
- File With Suspicious Extension Downloaded Via Bitsadmin
- Finger.EXE Execution
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- Insensitive Subfolder Search Via Findstr.EXE
- Legitimate Application Writing Files In Uncommon Location
- Local Network Connection Initiated By Script Interpreter
- Lolbas OneDriveStandaloneUpdater.exe Proxy Download
- MsiExec Web Install
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- Network Connection Initiated By IMEWDBLD.EXE
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- Outbound Network Connection Initiated By Script Interpreter
- Password Protected ZIP File Opened (Suspicious Filenames)
- Potential COM Objects Download Cradles Usage - Process Creation
- Potential COM Objects Download Cradles Usage - PS Script
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Potential Download/Upload Activity Using Type Command
- Potentially Suspicious File Creation by OpenEDR's ITSMService
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- PrintBrm ZIP Creation of Extraction
- PUA - Nimgrab Execution
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- Remote File Download Via Desktopimgdownldr Utility
- Remote File Download Via Findstr.EXE
- Replace.exe Usage
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Suspicious CertReq Command to Download
- Suspicious Curl.EXE Download
- Suspicious Deno File Written from Remote Source
- Suspicious Desktopimgdownldr Command
- Suspicious Desktopimgdownldr Target File
- Suspicious Diantz Download and Compress Into a CAB File
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Suspicious Download from Office Domain
- Suspicious Download Via Certutil.EXE
- Suspicious Dropbox API Usage
- Suspicious Extrac32 Execution
- Suspicious File Created by ArcSOC.exe
- Suspicious File Downloaded From Direct IP Via Certutil.EXE
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Suspicious Invoke-WebRequest Execution
- Suspicious Invoke-WebRequest Execution With DirectIP
- Suspicious Non-Browser Network Communication With Telegram API
- Uncommon Network Connection Initiated By Certutil.EXE
Splunk 6 rules
- Download Files Using Telegram
- LOLBAS With Network Traffic
- PowerShell Script Block With URL Chain
- PowerShell WebRequest Using Memory Stream
- Windows DLL Module Loaded in Temp Dir
- Windows DNS Query Request To TinyUrl