Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.(Citation: t1105_lolbas)
Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (typically after interacting with Phishing lures).(Citation: T1105: Trellix_search-ms)
Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1105 | Ingress Tool Transfer |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1105 | Ingress Tool Transfer |
Comments
This diagnostic statement protects against Ingress Tool Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1105 | Ingress Tool Transfer | |
| CM-06 | Configuration Settings | mitigates | T1105 | Ingress Tool Transfer | |
| SI-03 | Malicious Code Protection | mitigates | T1105 | Ingress Tool Transfer | |
| CM-02 | Baseline Configuration | mitigates | T1105 | Ingress Tool Transfer | |
| CM-07 | Least Functionality | mitigates | T1105 | Ingress Tool Transfer | |
| SI-04 | System Monitoring | mitigates | T1105 | Ingress Tool Transfer | |
| AC-04 | Information Flow Enforcement | mitigates | T1105 | Ingress Tool Transfer | |
| SC-07 | Boundary Protection | mitigates | T1105 | Ingress Tool Transfer |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2018-15982 | Adobe Flash Player Use-After-Free Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited via a maliciously-crafted Word document, which then extracts the adversary's RAT tool.
References
|
| CVE-2016-0984 | Adobe Flash Player and AIR Use-After-Free Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This use-after-free vulnerability is exploited by having the user open a maliciously-crafted file.
This CVE was observed to be exploited by the threat actor known as BlackOasis. The threat actor then installs command and control tools.
References
|
| CVE-2015-5119 | Adobe Flash Player Use-After-Free Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.
References
|
| CVE-2017-11292 | Adobe Flash Player Type Confusion Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.
References
|
| CVE-2023-48788 | Fortinet FortiClient EMS SQL Injection Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine.
References
|
| CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
References
|
| CVE-2025-31201 | Apple Multiple Products Arbitrary Read and Write Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.
References
|
| CVE-2024-4978 | Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.
References
|
| CVE-2024-23692 | Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.
References
|
| CVE-2012-0754 | Adobe Flash Player Memory Corruption Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited via a maliciously-crafted MP4 file. As a result of the exploit, malicious software is installed on the target machine.
References
|
| CVE-2010-1297 | Adobe Flash Player Memory Corruption Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website.
This vulnerability is also exploited via user execution of a maliciously crafted pdf file.
In the wild, threat actors have used this to download malicious software onto the target system.
References
|
| CVE-2025-31200 | Apple Multiple Products Memory Corruption Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.
References
|
| CVE-2015-8651 | Adobe Flash Player Integer Overflow Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine.
References
|
| CVE-2013-0641 | Adobe Reader Buffer Overflow Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This buffer overflow vulnerability is exploited via malicious-crafted pdf files delivered via targeted emails. Adversaries use this exploit to deliver a remote administration tool with the goal of data exfiltration.
References
|
| CVE-2023-7101 | Spreadsheet::ParseExcel Remote Code Execution Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited by a remote attacker by passing unvalidated input from a file into a string-type "eval". Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic. After successful exploitation, the attacker gains the ability to perform remote code execution. This vulnerability has been targeted by Chinese hackers who exploited the vulnerability in Spreadsheet::ParseExcel to compromise appliances. In collaboration with cybersecurity firm Mandiant, Barracuda assesses that the threat actor behind the attacks is UNC4841, who leveraged the flaw to deploy ‘SeaSpy’ and ‘Saltwater’ malware.
References
|
| CVE-2023-38831 | RARLAB WinRAR Code Execution Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability.
References
|
| CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploit through a maliciously crafted Word document, which downloads html that then runs commands on the target machine and has been seen to download additional payloads on target machines.
References
|
| CVE-2021-35394 | Realtek Jungle SDK Remote Code Execution Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node.
The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.
References
|
| CVE-2016-4117 | Adobe Flash Player Arbitrary Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
The vulnerability is exploited by a user opening a maliciously-crafted file. Reporting on in-the-wild exploitation indicates threat actor utilize this vulnerability to install command and control software on the target system. Adversaries seen exploiting this vulnerability were also observed to do a version check on the target software before attempting the exploitation.
References
|
| CVE-2016-1019 | Adobe Flash Player Arbitrary Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited by taking advantage of a flaw of Adobe Flash embedded within browsers. In the wild, threat actors have been seen using a browser-based exploit kit to initiate a drive-by compromise of the exploit. After exploit, adversaries can install their own malware or specifically ransomware.
References
|
| CVE-2012-1535 | Adobe Flash Player Arbitrary Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited by having a user execute a maliciously-crafted word document that has embedded swf. The embedded swf can download additional malicious software from the web.
References
|
| CVE-2011-0611 | Adobe Flash Player Remote Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited by having a user execute a maliciously-crafted word document or pdf file that has embedded swf. The malicious code then downloads another payload to the target machine.
References
|
| CVE-2010-0188 | Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited via drive-by download. Malicious software is this downloaded on the target machine.
References
|
| CVE-2023-2868 | Barracuda Networks ESG Appliance Improper Input Validation Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.
References
|
| CVE-2025-43200 | Apple Multiple Products Unspecified Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
A zero-click attack leveraging this vulnerability involves sending a maliciously crafted photo or video in an iCloud link via the Messages app. Reports indicate that the targeted devices are then compromised with Paragon's Graphite spyware.
References
|
| CVE-2023-38035 | Ivanti Sentry Authentication Bypass Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system.
This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.
References
|
| CVE-2023-20867 | VMware Tools Authentication Bypass Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited by an adversary who has fully compromised ESXi host. The adversary can exploit the authentication bypass flaw, leading to a failure in authenticating host-to-guest operations. The threat group UNC3886 has exploited this vulnerability to deploy VirtualPita and VirtualPie backdoors on guest VMs by escalating privileges to root on compromised ESXi hosts. This allows for unauthenticated command execution and file transfer.
References
|
| CVE-2021-44515 | Zoho Desktop Central Authentication Bypass Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating
domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
References
|
| CVE-2023-27350 | PaperCut MF/NG Improper Access Control Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2023-27350 allows an unauthenticated actor to execute malicious code remotely without credentials. Threat actors have been observed exploiting this software through its print scripting interface and installed command and control software on target machines.
References
|
| CVE-2023-22518 | Atlassian Confluence Data Center and Server Improper Authorization Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2023-22518 is an improper authorization vulnerability. Adversaries have been seen using HTTP POST requests to upload maliciously-crafted zip files to Confluence WebServers to exploit this vulnerability. After exploitation, adversaries were observed doing local system information discovery, downloading malicious payloads,
References
|
| CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
| CVE-2023-38203 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
References
|
| CVE-2023-29300 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2010-2861 | Adobe ColdFusion Directory Traversal Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This is the exploitation of a public facing server. In-the-wild reporting documents that exploitation of this vulnerability was used to install a webshell on the victim machine, and then captured and exfiltrated client credit card information.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Other | Other | related-to | T1105 | Ingress Tool Transfer | |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1105 | Ingress Tool Transfer | |
| action.hacking.vector.Other network service | Network service that is not remote access or a web application. | related-to | T1105 | Ingress Tool Transfer |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1105 | Ingress Tool Transfer |
Comments
The Microsoft Sentinel Hunting "Crypto currency miners EXECVE" query can detect cryptocurrency mining software downloads through EXECVE.
The following Microsoft Sentinel Analytics queries can identify potentiall malicious tool transfer: "Linked Malicious Storage Artifacts" may identify potential adversary tool downloads that are missed by anti-malware. "Powershell Empire cmdlets seen in command line" detects downloads via Empire. "New executable via Office FileUploaded Operations" can identify ingress of malicious code and attacker tools to Office services such as SharePoint and OneDrive, but with potential for high false positive rates from normal user upload activity.
References
|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | technique_scores | T1105 | Ingress Tool Transfer |
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
|
| defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | technique_scores | T1105 | Ingress Tool Transfer |
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1105 | Ingress Tool Transfer |
Comments
This control may detect usage of malware droppers and creation of suspicious files on the host machine. The following alerts may be generated: "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1105 | Ingress Tool Transfer |
Comments
This control detects binary downloads via certutil, monitors for FTP access from IP addresses found in threat intelligence, monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin. Temporal factor is unknown.
References
|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1105 | Ingress Tool Transfer |
Comments
This control may scan created files for malware. This control is dependent on a signature being available.
References
|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1105 | Ingress Tool Transfer |
Comments
This control may scan created files for malware and proceed to quarantine and/or delete the file. This control is dependent on a signature being available.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1105 | Ingress Tool Transfer |
Comments
Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate tool transfer attempts using cURL from Windows machines (e.g., C:\\Windows\\System32\\curl.exe).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral
References
|
| security_command_center | Security Command Center | technique_scores | T1105 | Ingress Tool Transfer |
Comments
SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to transfer tools into a compromised environment and execute commands without binaries. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant.
References
|