EXPLORE
Sign In
← Back to Explore
T1105

Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniq...

ESXiLinuxmacOSNetwork DevicesWindows
170
Detections
4
Sources
85
Threat Actors

BY SOURCE

69sigma56elastic41splunk_escu4crowdstrike_cql

PROCEDURES (80)

Download17 detections

Auto-extracted: 17 detections for download

Suspicious12 detections

Auto-extracted: 12 detections for suspicious

Remote9 detections

Auto-extracted: 9 detections for remote

Download7 detections

Auto-extracted: 7 detections for download

Process Creation Monitoring6 detections

Auto-extracted: 6 detections for process creation monitoring

Powershell5 detections

Auto-extracted: 5 detections for powershell

Remote5 detections

Auto-extracted: 5 detections for remote

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Remote4 detections

Auto-extracted: 4 detections for remote

Http3 detections

Auto-extracted: 3 detections for http

Dump3 detections

Auto-extracted: 3 detections for dump

Lateral3 detections

Auto-extracted: 3 detections for lateral

Lateral2 detections

Auto-extracted: 2 detections for lateral

Dns2 detections

Auto-extracted: 2 detections for dns

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Privilege2 detections

Auto-extracted: 2 detections for privilege

Bypass2 detections

Auto-extracted: 2 detections for bypass

Tunnel2 detections

Auto-extracted: 2 detections for tunnel

Credential2 detections

Auto-extracted: 2 detections for credential

Download2 detections

Auto-extracted: 2 detections for download

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Privilege2 detections

Auto-extracted: 2 detections for privilege

Api2 detections

Auto-extracted: 2 detections for api

Http2 detections

Auto-extracted: 2 detections for http

Container2 detections

Auto-extracted: 2 detections for container

Service2 detections

Auto-extracted: 2 detections for service

Container2 detections

Auto-extracted: 2 detections for container

Http2 detections

Auto-extracted: 2 detections for http

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Email2 detections

Auto-extracted: 2 detections for email

Script Block2 detections

Auto-extracted: 2 detections for script block

Persist2 detections

Auto-extracted: 2 detections for persist

Aws2 detections

Auto-extracted: 2 detections for aws

Api2 detections

Auto-extracted: 2 detections for api

Download1 detections

Auto-extracted: 1 detections for download

Evasion1 detections

Auto-extracted: 1 detections for evasion

Http1 detections

Auto-extracted: 1 detections for http

Inject1 detections

Auto-extracted: 1 detections for inject

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Aws1 detections

Auto-extracted: 1 detections for aws

Persist1 detections

Auto-extracted: 1 detections for persist

Aws1 detections

Auto-extracted: 1 detections for aws

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lateral1 detections

Auto-extracted: 1 detections for lateral

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Container1 detections

Auto-extracted: 1 detections for container

Powershell1 detections

Auto-extracted: 1 detections for powershell

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Remote1 detections

Auto-extracted: 1 detections for remote

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Privilege1 detections

Auto-extracted: 1 detections for privilege

Child Process1 detections

Auto-extracted: 1 detections for child process

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Bypass1 detections

Auto-extracted: 1 detections for bypass

Http1 detections

Auto-extracted: 1 detections for http

Email1 detections

Auto-extracted: 1 detections for email

Child Process1 detections

Auto-extracted: 1 detections for child process

Unusual1 detections

Auto-extracted: 1 detections for unusual

Phish1 detections

Auto-extracted: 1 detections for phish

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Child Process1 detections

Auto-extracted: 1 detections for child process

Inject1 detections

Auto-extracted: 1 detections for inject

Powershell1 detections

Auto-extracted: 1 detections for powershell

Evasion1 detections

Auto-extracted: 1 detections for evasion

Dump1 detections

Auto-extracted: 1 detections for dump

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Http1 detections

Auto-extracted: 1 detections for http

Inject1 detections

Auto-extracted: 1 detections for inject

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (85)

Ajax Security TeamAndarielAPT-C-36APT18APT28APT29APT3APT32APT33APT37APT38APT39APT41Aquatic PandaBackdoorDiplomacyBITTERBlackByteBRONZE BUTLERChimeraCinnamon TempestCobalt GroupConfuciusDaggerflyDarkhotelDragonflyElderwoodEvilnumFIN13FIN7FIN8Fox KittenGALLIUMGamaredon GroupGorgon GroupHAFNIUMHEXANEINC RansomIndigoZebraIndrik SpiderKe3changKimsukyLazarus GroupLazyScripterLeviathanLuminousMothMagic HoundMedusa GroupmenuPassMetadorMoleratsMoonstone SleetMoses StaffMuddyWaterMustang PandaMustard TempestNomadic OctopusOilRigPatchworkPLATINUMPlayRancorRockeSandworm TeamScattered SpiderSideCopySidewinderSilenceStorm-1811TA2541TA505TA551TeamTNTThreat Group-3390Tonto TeamTropic TrooperTurlaVolatile CedarVolt TyphoonWhiteflyWindshiftWinnti GroupWinter VivernWIRTEWizard SpiderZIRCONIUM

DETECTIONS (170)

Apple Script Execution followed by Network Connection
elasticmedium
AppX Package Installation Attempts Via AppInstaller.EXE
sigmamedium
Arbitrary File Download Via GfxDownloadWrapper.EXE
sigmamedium
AWS EC2 LOLBin Execution via SSM SendCommand
elasticmedium
BITSAdmin Download File
splunk_escu
Browser Execution In Headless Mode
sigmalow
Cisco Isovalent - Curl Execution With Insecure Flags
splunk_escu
Cisco NVM - Suspicious File Download via Headless Browser
splunk_escu
Cisco NVM - Webserver Download From File Sharing Website
splunk_escu
Cisco Secure Firewall - Communication Over Suspicious Ports
splunk_escu
Cisco Secure Firewall - Connection to File Sharing Domain
splunk_escu
Cisco Secure Firewall - File Download Over Uncommon Port
splunk_escu
Cisco Secure Firewall - High EVE Threat Confidence
splunk_escu
Cisco Secure Firewall - Malware File Downloaded
splunk_escu
Cisco Secure Firewall - Repeated Malware Downloads
splunk_escu
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
splunk_escu
Cisco Secure Firewall - Wget or Curl Download
splunk_escu
Cisco Stage Data
sigmalow
Command Line Execution with Suspicious URL and AppData Strings
sigmamedium
Curl Download And Execute Combination
sigmahigh
Curl Execution via Shell Profile
elastichigh
Curl Execution with Percent Encoded URL
splunk_escu
Curl or Wget Egress Network Connection via LoLBin
elasticmedium
Curl or Wget Spawned via Node.js
elasticmedium
Curl Usage on Linux
sigmalow
Detect Certify Command Line Arguments
splunk_escu
Detection of External Direct IP Usage in CommandLine Windows and Mac
crowdstrike_cql
Download File To Potentially Suspicious Directory Via Wget
sigmamedium
Download Files Using Telegram
splunk_escu
Download from Suspicious Dyndns Hosts
sigmamedium
Executable File Download via Wget
elasticmedium
Executable from Webdav
sigmamedium
Execution via OpenClaw Agent
elasticmedium
File Creation, Execution and Self-Deletion in Suspicious Directory
elastichigh
File Download And Execution Via IEExec.EXE
sigmahigh
File Download Detected via Defend for Containers
elasticmedium
File Download From Browser Process Via Inline URL
sigmamedium
File Download From IP Based URL Via CertOC.EXE
sigmahigh
File Download or Read to Pipe Execution
splunk_escu
File Download Using Notepad++ GUP Utility
sigmahigh
File Download Via Bitsadmin
sigmamedium
File Download Via Bitsadmin To A Suspicious Target Folder
sigmahigh
File Download via CertOC.EXE
sigmamedium
File Download Via Nscurl - MacOS
sigmamedium
File Download Via Windows Defender MpCmpRun.EXE
sigmahigh
File Download with Headless Browser
sigmahigh
File With Suspicious Extension Downloaded Via Bitsadmin
sigmahigh
Finger.EXE Execution
sigmahigh
Git Repository or File Download to Suspicious Directory
elasticlow
Hidden Flag Set On File/Directory Via Chflags - MacOS
sigmamedium
Import LDAP Data Interchange Format File Via Ldifde.EXE
sigmamedium
Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
elastichigh
Ingress Transfer via Windows BITS
elasticlow
Initial Access via File Upload Followed by GET Request
elasticmedium
Insensitive Subfolder Search Via Findstr.EXE
sigmalow
Juniper Networks Remote Code Execution Exploit Detection
splunk_escu
Legitimate Application Writing Files In Uncommon Location
sigmahigh
Linux Curl Upload File
splunk_escu
Linux Ingress Tool Transfer Hunting
splunk_escu
Linux Ingress Tool Transfer with Curl
splunk_escu
Living Off The Land Detection
splunk_escu
Local Network Connection Initiated By Script Interpreter
sigmamedium
Log4Shell CVE-2021-44228 Exploitation
splunk_escu
Lolbas OneDriveStandaloneUpdater.exe Proxy Download
sigmahigh
LOLBAS With Network Traffic
splunk_escu
LOLBin Certutil
crowdstrike_cql
LOLBin Mshta
crowdstrike_cql
LOLBin WMIC
crowdstrike_cql
Microsoft Intune Device Health Scripts
splunk_escu
Microsoft Intune Mobile Apps
splunk_escu
MsiExec Web Install
sigmamedium
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
sigmahigh
Network Connection Initiated By IMEWDBLD.EXE
sigmahigh
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
sigmahigh
Network Connection via MsXsl
elasticlow
Network Traffic to Rare Destination Country
elasticlow
Outbound Network Connection Initiated By Script Interpreter
sigmahigh
Password Protected ZIP File Opened (Suspicious Filenames)
sigmahigh
Payload Execution via Shell Pipe Detected by Defend for Containers
elasticmedium
Pluggable Authentication Module (PAM) Source Download
elasticmedium
Potential COM Objects Download Cradles Usage - Process Creation
sigmamedium
Potential COM Objects Download Cradles Usage - PS Script
sigmamedium
Potential DLL File Download Via PowerShell Invoke-WebRequest
sigmamedium
Potential Download/Upload Activity Using Type Command
sigmamedium
Potential File Download via a Headless Browser
elastichigh
Potential File Transfer via Certreq
elasticmedium
Potential File Transfer via Curl for Windows
elasticlow
Potential Git CVE-2025-48384 Exploitation
elastichigh
Potential In-Memory Download And Compile Of Payloads
sigmamedium
Potential Remote File Execution via MSIEXEC
elasticlow
Potential Remote Install via MsiExec
elastichigh
Potential THC Tool Downloaded
elastichigh
Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation
elastichigh
Potentially Suspicious File Creation by OpenEDR's ITSMService
sigmamedium
Potentially Suspicious Process Started via tmux or screen
elasticmedium
PowerShell MSI Install via WindowsInstaller COM From Remote Location
sigmamedium
PowerShell Script Block With URL Chain
splunk_escu
PowerShell WebRequest Using Memory Stream
splunk_escu
PrintBrm ZIP Creation of Extraction
sigmahigh
PUA - Nimgrab Execution
sigmahigh
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
sigmamedium
Remote File Copy
sigmalow
Remote File Copy via TeamViewer
elasticmedium
Remote File Creation in World Writeable Directory
elasticmedium
Remote File Download via Desktopimgdownldr Utility
elasticmedium
Remote File Download Via Desktopimgdownldr Utility
sigmamedium
Remote File Download Via Findstr.EXE
sigmamedium
Remote File Download via MpCmdRun
elasticmedium
Remote File Download via PowerShell
elasticmedium
Remote File Download via Script Interpreter
elasticmedium
Replace.exe Usage
sigmamedium
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
elasticmedium
Scheduled Task Creation with Curl and PowerShell Execution Combo
sigmamedium
Suspicious Browser Child Process
elastichigh
Suspicious CertReq Command to Download
sigmahigh
Suspicious CertUtil Commands
elasticmedium
Suspicious Command Prompt Network Connection
elasticlow
Suspicious Curl File Upload - Linux
sigmamedium
Suspicious Curl from macOS Application
elastichigh
Suspicious Curl Network Connection
splunk_escu
Suspicious Curl to Google App Script Endpoint
elastichigh
Suspicious Curl.EXE Download
sigmahigh
Suspicious Deno File Written from Remote Source
sigmalow
Suspicious Desktopimgdownldr Command
sigmahigh
Suspicious Desktopimgdownldr Target File
sigmahigh
Suspicious Diantz Download and Compress Into a CAB File
sigmamedium
Suspicious Download From File-Sharing Website Via Bitsadmin
sigmahigh
Suspicious Download from Office Domain
sigmahigh
Suspicious Download Via Certutil.EXE
sigmamedium
Suspicious Dropbox API Usage
sigmahigh
Suspicious Execution from a WebDav Share
elastichigh
Suspicious Execution from Foomatic-rip or Cupsd Parent
elastichigh
Suspicious Execution from INET Cache
elastichigh
Suspicious Execution from VS Code Extension
elasticmedium
Suspicious Extrac32 Execution
sigmamedium
Suspicious File Created by ArcSOC.exe
sigmahigh
Suspicious File Downloaded From Direct IP Via Certutil.EXE
sigmahigh
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
sigmahigh
Suspicious File Downloaded from Google Drive
elasticmedium
Suspicious Installer Package Spawns Network Event
elasticmedium
Suspicious Invoke-WebRequest Execution
sigmahigh
Suspicious Invoke-WebRequest Execution With DirectIP
sigmamedium
Suspicious JavaScript Execution via Deno
elastichigh
Suspicious Network Tool Launch Detected via Defend for Containers
elasticlow
Suspicious Network Tool Launched Inside A Container
elasticlow
Suspicious Non-Browser Network Communication With Telegram API
sigmamedium
Suspicious ScreenConnect Client Child Process
elasticmedium
Suspicious Windows Command Shell Arguments
elastichigh
Suspicious Windows Powershell Arguments
elasticmedium
System Path File Creation and Execution Detected via Defend for Containers
elasticmedium
Tool Installation Detected via Defend for Containers
elasticlow
Uncommon Network Connection Initiated By Certutil.EXE
sigmahigh
Unusual Network Destination Domain Name
elasticlow
Unusual Remote File Creation
elasticlow
Web Server Exploitation Detected via Defend for Containers
elastichigh
Web Server Potential Command Injection Request
elasticlow
Wget Creating Files in Tmp Directory
sigmamedium
Windows Cabinet File Extraction Via Expand
splunk_escu
Windows Curl Download to Suspicious Path
splunk_escu
Windows Curl Upload to Remote Destination
splunk_escu
Windows DLL Module Loaded in Temp Dir
splunk_escu
Windows DNS Query Request To TinyUrl
splunk_escu
Windows File Download Via CertUtil
splunk_escu
Windows File Download Via PowerShell
splunk_escu
Windows Ingress Tool Transfer Using Explorer
splunk_escu
Windows Ldifde Directory Object Behavior
splunk_escu
Windows Process Execution From RDP Share
splunk_escu
Windows SQL Spawning CertUtil
splunk_escu
Windows SSH Proxy Command
splunk_escu
WinRAR Spawning Shell Application
splunk_escu