Ingress Tool Transfer T1105
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
Events covered
22 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 191 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (59 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1161 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (300 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 80 rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Axios NPM Compromise File Creation Indicators - Linux
- Axios NPM Compromise File Creation Indicators - MacOS
- Axios NPM Compromise Indicators - Linux
- Axios NPM Compromise Indicators - macOS
- Axios NPM Compromise Indicators - Windows
- BITS payload downloaded via commandline
- BITS payload downloaded via PowerShell
- Browser Execution In Headless Mode
- Certutil payload download (command)
- Command Line Execution with Suspicious URL and AppData Strings
- Curl Download And Execute Combination
- Curl.EXE Execution
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- File Download And Execution Via IEExec.EXE
- File Download From Browser Process Via Inline URL
- File Download From IP Based URL Via CertOC.EXE
- File Download Using Notepad++ GUP Utility
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File Download via CertOC.EXE
- File Download Via Curl.EXE
- File Download Via Windows Defender MpCmpRun.EXE
- File Download with Headless Browser
- File With Suspicious Extension Downloaded Via Bitsadmin
- Finger.EXE Execution
- Greenbug Espionage Group Indicators
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- Insensitive Subfolder Search Via Findstr.EXE
- Legitimate Application Writing Files In Uncommon Location
- Local Network Connection Initiated By Script Interpreter
- Lolbas OneDriveStandaloneUpdater.exe Proxy Download
- MsiExec Web Install
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- Network Connection Initiated By IMEWDBLD.EXE
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- Network Connection Initiated From Users\Public Folder
- Outbound Network Connection Initiated By Script Interpreter
- Pandemic Registry Key
- Password Protected ZIP File Opened (Suspicious Filenames)
- Payload downloaded via PowerShell
- Potential COM Objects Download Cradles Usage - Process Creation
- Potential COM Objects Download Cradles Usage - PS Script
- Potential Data Exfiltration Via Curl.EXE
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Potential Download/Upload Activity Using Type Command
- Potential Exploitation of RCE Vulnerability CVE-2025-33053
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
- Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
- Potentially Suspicious File Creation by OpenEDR's ITSMService
- PowerShell Download Via Net.WebClient - PowerShell Classic
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- PrintBrm ZIP Creation of Extraction
- Process Execution From WebDAV Share
- PUA - Nimgrab Execution
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- Remote File Download Via Desktopimgdownldr Utility
- Remote File Download Via Findstr.EXE
- Replace.exe Usage
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Suspicious CertReq Command to Download
- Suspicious Curl.EXE Download
- Suspicious Deno File Written from Remote Source
- Suspicious Desktopimgdownldr Command
- Suspicious Desktopimgdownldr Target File
- Suspicious Diantz Download and Compress Into a CAB File
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Suspicious Download from Office Domain
- Suspicious Download Via Certutil.EXE
- Suspicious Dropbox API Usage
- Suspicious Extrac32 Execution
- Suspicious File Created by ArcSOC.exe
- Suspicious File Downloaded From Direct IP Via Certutil.EXE
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Suspicious Invoke-WebRequest Execution
- Suspicious Invoke-WebRequest Execution With DirectIP
- Suspicious Non-Browser Network Communication With Telegram API
- Uncommon Network Connection Initiated By Certutil.EXE
Elastic 22 rules
- Bitsadmin Activity
- Network Connection via Certutil
- Network Connection via MsXsl
- Potential File Download via a Headless Browser
- Potential File Transfer via Certreq
- Potential File Transfer via Curl for Windows
- Potential Remote File Execution via MSIEXEC
- Potential Remote Install via MsiExec
- Remote File Copy via TeamViewer
- Remote File Download via Desktopimgdownldr Utility
- Remote File Download via MpCmdRun
- Remote File Download via PowerShell
- Remote File Download via Script Interpreter
- Suspicious CertUtil Commands
- Suspicious Command Prompt Network Connection
- Suspicious Execution from a WebDav Share
- Suspicious Execution from INET Cache
- Suspicious Execution from VS Code Extension
- Suspicious JavaScript Execution via Deno
- Suspicious ScreenConnect Client Child Process
- Suspicious Windows Command Shell Arguments
- Suspicious Windows Powershell Arguments
Splunk 76 rules
- BITSAdmin Download File
- BITSadmin Execution (PowerShell)
- BITSadmin Execution (Sysmon)
- BITSadmin Execution (Windows Event Log)
- Certutil Execution (Sysmon)
- Certutil Execution (Windows Event Log)
- Certutil File Download (PowerShell)
- Certutil File Download (Sysmon)
- Certutil File Download (Windows Event Log)
- Curl Execution with Percent Encoded URL
- Detect Certify Command Line Arguments
- Download Files Using Telegram
- Esentutl Execution (PowerShell)
- Esentutl Execution (Sysmon)
- Esentutl Execution (Windows Event Log)
- Executable File Written to Disk (Sysmon)
- Executable File Written to Disk (Windows Event Log)
- Expand.exe Execution (PowerShell)
- Expand.exe Execution (Sysmon)
- Expand.exe Execution (Windows Event Log)
- File Download or Read to Pipe Execution
- File Executed from INetCache (Sysmon)
- File Executed from INetCache (Windows Event Log)
- Finger Execution (Sysmon)
- Finger Execution (Windows Event Log)
- Git Clone Repository (PowerShell)
- Git Submodule Cloned - Windows (Sysmon)
- Git Submodule Cloned - Windows (Windows Event Log)
- Invoke-WebRequest Command (PowerShell)
- Invoke-WebRequest Command (Sysmon)
- Invoke-WebRequest Command (Windows Event Log)
- Live Sysinternals Execution (Sysmon)
- Live Sysinternals Execution (Windows Event Log)
- LOLBAS With Network Traffic
- mshta.exe File Download (PowerShell)
- mshta.exe File Download (Sysmon)
- mshta.exe File Download (Windows Event Log)
- Network Connection with Suspicious Folder (Sysmon)
- Network Connection with Suspicious Folder (Windows Event Log)
- ngen.exe File Download (PowerShell)
- ngen.exe File Download (Sysmon)
- ngen.exe File Download (Windows Event Log)
- Office Binary Download Remote File (Windows Event Log)
- Package installation (PowerShell)
- Package installation (Sysmon)
- Package installation (Windows Event Log)
- PowerShell Download Activity (PowerShell)
- PowerShell DownloadFile_DownloadString (PowerShell)
- PowerShell DownloadFile_DownloadString (Sysmon)
- PowerShell DownloadFile_DownloadString (Windows Event Log)
- PowerShell Script Block With URL Chain
- PowerShell WebRequest Using Memory Stream
- ProtocolHandler.exe File Download (PowerShell)
- ProtocolHandler.exe File Download (Sysmon)
- ProtocolHandler.exe File Download (Windows Event Log)
- Suspicious Curl Network Connection
- Suspicious File written to Disk (Windows Event Log)
- Temporary File Executed from Public Folder (Sysmon)
- Temporary File Executed from Public Folder (Windows Event Log)
- Unusual HTTP Download (Sysmon)
- Visio.exe File Download (PowerShell)
- Visio.exe File Download (Sysmon)
- Visio.exe File Download (Windows Event Log)
- Windows Cabinet File Extraction Via Expand
- Windows Curl Download to Suspicious Path
- Windows Curl Upload to Remote Destination
- Windows DLL Module Loaded in Temp Dir
- Windows DNS Query Request To TinyUrl
- Windows File Download Via CertUtil
- Windows File Download Via PowerShell
- Windows Ingress Tool Transfer Using Explorer
- Windows Ldifde Directory Object Behavior
- Windows Process Execution From RDP Share
- Windows SQL Spawning CertUtil
- Windows SSH Proxy Command
- WinRAR Spawning Shell Application
Kusto 5 rules
- Bitsadmin Activity
- C2-NamedPipe
- Ingress Tool Transfer - Certutil
- Office Apps Launching Wscipt
- Powershell Empire Cmdlets Executed in Command Line