Ingress Tool Transfer T1105

Events covered

29 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 265 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (120 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Top indicator values (2264 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Exclusions (501 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 93 rules

• AppX Package Installation Attempts Via AppInstaller.EXE
• Arbitrary File Download Via GfxDownloadWrapper.EXE
• Axios NPM Compromise File Creation Indicators - Linux
• Axios NPM Compromise File Creation Indicators - MacOS
• Axios NPM Compromise Indicators - Linux
• Axios NPM Compromise Indicators - macOS
• Axios NPM Compromise Indicators - Windows
• BITS payload downloaded via commandline
• BITS payload downloaded via PowerShell
• Browser Execution In Headless Mode
• Certutil payload download (command)
• Cisco Stage Data
• Command Line Execution with Suspicious URL and AppData Strings
• Curl Download And Execute Combination
• Curl Usage on Linux
• Curl.EXE Execution
• DarkGate - Autoit3.EXE File Creation By Uncommon Process
• Download File To Potentially Suspicious Directory Via Wget
• Download from Suspicious Dyndns Hosts
• Executable from Webdav
• File Download And Execution Via IEExec.EXE
• File Download From Browser Process Via Inline URL
• File Download From IP Based URL Via CertOC.EXE
• File Download Using Notepad++ GUP Utility
• File Download Via Bitsadmin
• File Download Via Bitsadmin To A Suspicious Target Folder
• File Download via CertOC.EXE
• File Download Via Curl.EXE
• File Download Via Nscurl - MacOS
• File Download Via Windows Defender MpCmpRun.EXE
• File Download with Headless Browser
• File with high volume downloaded via BITS
• File With Suspicious Extension Downloaded Via Bitsadmin
• Finger.EXE Execution
• Greenbug Espionage Group Indicators
• Hidden Flag Set On File/Directory Via Chflags - MacOS
• Import LDAP Data Interchange Format File Via Ldifde.EXE
• Insensitive Subfolder Search Via Findstr.EXE
• Legitimate Application Writing Files In Uncommon Location
• Local Network Connection Initiated By Script Interpreter
• Lolbas OneDriveStandaloneUpdater.exe Proxy Download
• macOS HTTP Tools with Protocol Indicators
• MsiExec Web Install
• Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
• Network Connection Initiated By IMEWDBLD.EXE
• Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
• Network Connection Initiated From Users\Public Folder
• Outbound Network Connection Initiated By Script Interpreter
• Pandemic Registry Key
• Password Protected ZIP File Opened (Suspicious Filenames)
• Payload downloaded via PowerShell
• Potential COM Objects Download Cradles Usage - Process Creation
• Potential COM Objects Download Cradles Usage - PS Script
• Potential Data Exfiltration Via Curl.EXE
• Potential DLL File Download Via PowerShell Invoke-WebRequest
• Potential Download/Upload Activity Using Type Command
• Potential Exploitation of RCE Vulnerability CVE-2025-33053
• Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
• Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
• Potential In-Memory Download And Compile Of Payloads
• Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
• Potentially Suspicious File Creation by OpenEDR's ITSMService
• PowerShell Download Via Net.WebClient - PowerShell Classic
• PowerShell MSI Install via WindowsInstaller COM From Remote Location
• PrintBrm ZIP Creation of Extraction
• Process Execution From WebDAV Share
• PUA - Nimgrab Execution
• Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
• Remote File Copy
• Remote File Download Via Desktopimgdownldr Utility
• Remote File Download Via Findstr.EXE
• Replace.exe Usage
• Scheduled Task Creation with Curl and PowerShell Execution Combo
• Suspicious CertReq Command to Download
• Suspicious Curl File Upload - Linux
• Suspicious Curl.EXE Download
• Suspicious Deno File Written from Remote Source
• Suspicious Desktopimgdownldr Command
• Suspicious Desktopimgdownldr Target File
• Suspicious Diantz Download and Compress Into a CAB File
• Suspicious Download From File-Sharing Website Via Bitsadmin
• Suspicious Download from Office Domain
• Suspicious Download Via Certutil.EXE
• Suspicious Dropbox API Usage
• Suspicious Extrac32 Execution
• Suspicious File Created by ArcSOC.exe
• Suspicious File Downloaded From Direct IP Via Certutil.EXE
• Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
• Suspicious Invoke-WebRequest Execution
• Suspicious Invoke-WebRequest Execution With DirectIP
• Suspicious Non-Browser Network Communication With Telegram API
• Uncommon Network Connection Initiated By Certutil.EXE
• Wget Creating Files in Tmp Directory

Elastic 61 rules

• Apple Script Execution followed by Network Connection
• AWS EC2 LOLBin Execution via SSM SendCommand
• Bitsadmin Activity
• Curl Execution via Shell Profile
• Curl or Wget Egress Network Connection via LoLBin
• Curl or Wget Execution from Container Context
• Curl or Wget Spawned via Node.js
• Executable File Download via Wget
• Execution via OpenClaw Agent
• File Creation, Execution and Self-Deletion in Suspicious Directory
• File Download Detected via Defend for Containers
• Git Repository or File Download to Suspicious Directory
• Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
• Ingress Transfer via Windows BITS
• Initial Access via File Upload Followed by GET Request
• Kubernetes Pod Exec with Curl or Wget to HTTPS
• Network Connection via Certutil
• Network Connection via MsXsl
• Network Traffic to Rare Destination Country
• Ollama DNS Query to Untrusted Domain
• Payload Execution via Shell Pipe Detected by Defend for Containers
• Pluggable Authentication Module (PAM) Source Download
• Potential File Download via a Headless Browser
• Potential File Transfer via Certreq
• Potential File Transfer via Curl for Windows
• Potential Git CVE-2025-48384 Exploitation
• Potential Remote File Execution via MSIEXEC
• Potential Remote Install via MsiExec
• Potential THC Tool Downloaded
• Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation
• Potentially Suspicious Process Started via tmux or screen
• Remote File Copy via TeamViewer
• Remote File Creation in World Writeable Directory
• Remote File Download via Desktopimgdownldr Utility
• Remote File Download via MpCmdRun
• Remote File Download via PowerShell
• Remote File Download via Script Interpreter
• Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
• Suspicious Browser Child Process
• Suspicious CertUtil Commands
• Suspicious Command Prompt Network Connection
• Suspicious Curl from macOS Application
• Suspicious Curl to Google App Script Endpoint
• Suspicious Execution from a WebDav Share
• Suspicious Execution from Foomatic-rip or Cupsd Parent
• Suspicious Execution from INET Cache
• Suspicious Execution from VS Code Extension
• Suspicious File Downloaded from Google Drive
• Suspicious Installer Package Spawns Network Event
• Suspicious JavaScript Execution via Deno
• Suspicious Network Tool Launch Detected via Defend for Containers
• Suspicious Network Tool Launched Inside A Container
• Suspicious ScreenConnect Client Child Process
• Suspicious Windows Command Shell Arguments
• Suspicious Windows Powershell Arguments
• System Path File Creation and Execution Detected via Defend for Containers
• Tool Installation Detected via Defend for Containers
• Unusual Network Destination Domain Name
• Unusual Remote File Creation
• Web Server Exploitation Detected via Defend for Containers
• Web Server Potential Command Injection Request

Splunk 95 rules

• BITSAdmin Download File
• BITSadmin Execution (PowerShell)
• BITSadmin Execution (Sysmon)
• BITSadmin Execution (Windows Event Log)
• Certutil Execution (Sysmon)
• Certutil Execution (Windows Event Log)
• Certutil File Download (PowerShell)
• Certutil File Download (Sysmon)
• Certutil File Download (Windows Event Log)
• Cisco Isovalent - Curl Execution With Insecure Flags
• Cisco NVM - Suspicious File Download via Headless Browser
• Cisco NVM - Webserver Download From File Sharing Website
• Cisco Secure Firewall - Communication Over Suspicious Ports
• Cisco Secure Firewall - Connection to File Sharing Domain
• Cisco Secure Firewall - File Download Over Uncommon Port
• Cisco Secure Firewall - High EVE Threat Confidence
• Cisco Secure Firewall - Malware File Downloaded
• Cisco Secure Firewall - Repeated Malware Downloads
• Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
• Cisco Secure Firewall - Wget or Curl Download
• Curl Execution with Percent Encoded URL
• Detect Certify Command Line Arguments
• Download Files Using Telegram
• Esentutl Execution (PowerShell)
• Esentutl Execution (Sysmon)
• Esentutl Execution (Windows Event Log)
• Executable File Written to Disk (Sysmon)
• Executable File Written to Disk (Windows Event Log)
• Expand.exe Execution (PowerShell)
• Expand.exe Execution (Sysmon)
• Expand.exe Execution (Windows Event Log)
• File Download or Read to Pipe Execution
• File Executed from INetCache (Sysmon)
• File Executed from INetCache (Windows Event Log)
• Finger Execution (Sysmon)
• Finger Execution (Windows Event Log)
• Git Clone Repository (PowerShell)
• Git Submodule Cloned - Windows (Sysmon)
• Git Submodule Cloned - Windows (Windows Event Log)
• Invoke-WebRequest Command (PowerShell)
• Invoke-WebRequest Command (Sysmon)
• Invoke-WebRequest Command (Windows Event Log)
• Juniper Networks Remote Code Execution Exploit Detection
• Linux Curl Upload File
• Linux Ingress Tool Transfer Hunting
• Linux Ingress Tool Transfer with Curl
• Live Sysinternals Execution (Sysmon)
• Live Sysinternals Execution (Windows Event Log)
• Living Off The Land Detection
• Log4Shell CVE-2021-44228 Exploitation
• LOLBAS With Network Traffic
• Microsoft Intune Device Health Scripts
• Microsoft Intune Mobile Apps
• mshta.exe File Download (PowerShell)
• mshta.exe File Download (Sysmon)
• mshta.exe File Download (Windows Event Log)
• Network Connection with Suspicious Folder (Sysmon)
• Network Connection with Suspicious Folder (Windows Event Log)
• ngen.exe File Download (PowerShell)
• ngen.exe File Download (Sysmon)
• ngen.exe File Download (Windows Event Log)
• Office Binary Download Remote File (Windows Event Log)
• Package installation (PowerShell)
• Package installation (Sysmon)
• Package installation (Windows Event Log)
• PowerShell Download Activity (PowerShell)
• PowerShell DownloadFile_DownloadString (PowerShell)
• PowerShell DownloadFile_DownloadString (Sysmon)
• PowerShell DownloadFile_DownloadString (Windows Event Log)
• PowerShell Script Block With URL Chain
• PowerShell WebRequest Using Memory Stream
• ProtocolHandler.exe File Download (PowerShell)
• ProtocolHandler.exe File Download (Sysmon)
• ProtocolHandler.exe File Download (Windows Event Log)
• Suspicious Curl Network Connection
• Suspicious File written to Disk (Windows Event Log)
• Temporary File Executed from Public Folder (Sysmon)
• Temporary File Executed from Public Folder (Windows Event Log)
• Unusual HTTP Download (Sysmon)
• Visio.exe File Download (PowerShell)
• Visio.exe File Download (Sysmon)
• Visio.exe File Download (Windows Event Log)
• Windows Cabinet File Extraction Via Expand
• Windows Curl Download to Suspicious Path
• Windows Curl Upload to Remote Destination
• Windows DLL Module Loaded in Temp Dir
• Windows DNS Query Request To TinyUrl
• Windows File Download Via CertUtil
• Windows File Download Via PowerShell
• Windows Ingress Tool Transfer Using Explorer
• Windows Ldifde Directory Object Behavior
• Windows Process Execution From RDP Share
• Windows SQL Spawning CertUtil
• Windows SSH Proxy Command
• WinRAR Spawning Shell Application

Kusto 8 rules

• Bitsadmin Activity
• C2-NamedPipe
• Cisco Cloud Security - Request to blocklisted file type
• Ingress Tool Transfer - Certutil
• New executable via Office FileUploaded Operation
• Office Apps Launching Wscipt
• Outgoing connection attempts stateful anomaly on database
• Powershell Empire Cmdlets Executed in Command Line

YARA-L 8 rules

• File Download Using Notepad++ GUP Utility
• File Download Via Windows Defender MpCmpRun.EXE
• Finger.EXE Execution
• PrintBrm ZIP Creation of Extraction
• PUA - Nimgrab Execution
• Suspicious Certreq Command to Download
• Suspicious Curl.EXE Download
• Suspicious Invoke-WebRequest Execution