1. Home
  2. ATT&CK Techniques
  3. T1105 Ingress Tool Transfer

T1105 Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.(Citation: t1105_lolbas)

Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (typically after interacting with Phishing lures).(Citation: T1105: Trellix_search-ms)

Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1105 Ingress Tool Transfer
CM-06 Configuration Settings mitigates T1105 Ingress Tool Transfer
SI-03 Malicious Code Protection mitigates T1105 Ingress Tool Transfer
CM-02 Baseline Configuration mitigates T1105 Ingress Tool Transfer
CM-07 Least Functionality mitigates T1105 Ingress Tool Transfer
SI-04 System Monitoring mitigates T1105 Ingress Tool Transfer
AC-04 Information Flow Enforcement mitigates T1105 Ingress Tool Transfer
SC-07 Boundary Protection mitigates T1105 Ingress Tool Transfer

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Other Other related-to T1105 Ingress Tool Transfer
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1105 Ingress Tool Transfer
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1105 Ingress Tool Transfer

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
defender_for_storage Microsoft Defender for Cloud: Defender for Storage technique_scores T1105 Ingress Tool Transfer
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-introduction
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-azurestorage
defender_for_storage Microsoft Defender for Cloud: Defender for Storage technique_scores T1105 Ingress Tool Transfer
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-introduction
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-azurestorage
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1105 Ingress Tool Transfer
Comments
This control may detect usage of malware droppers and creation of suspicious files on the host machine. The following alerts may be generated: "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1105 Ingress Tool Transfer
Comments
This control detects binary downloads via certutil, monitors for FTP access from IP addresses found in threat intelligence, monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin. Temporal factor is unknown.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction
  3. https://azure.microsoft.com/en-us/services/app-service/
  4. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1105 Ingress Tool Transfer
Comments
This control may scan created files for malware. This control is dependent on a signature being available.
References
  1. https://learn.microsoft.com/en-us/azure/security/fundamentals/antimalware
  2. https://learn.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples
microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1105 Ingress Tool Transfer
Comments
This control may scan created files for malware and proceed to quarantine and/or delete the file. This control is dependent on a signature being available.
References
  1. https://learn.microsoft.com/en-us/azure/security/fundamentals/antimalware
  2. https://learn.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1105 Ingress Tool Transfer
Comments
Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate tool transfer attempts using cURL from Windows machines (e.g., C:\\Windows\\System32\\curl.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']
security_command_center Security Command Center technique_scores T1105 Ingress Tool Transfer
Comments
SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to transfer tools into a compromised environment and execute commands without binaries. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant.
References
  1. ['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview'
  2. 'https://github.com/GoogleCloudPlatform/security-analytics']