T1105 — Ingress Tool Transfer

Technique

T1105

Tactics

Command and Control

MISP citations

0

KEV CVEs mapped

35

Community rules

87

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1105

MITRE description

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) A number of these tools, such as `wget`, `curl`, and `scp`, also exist on ESXi. After downloading a file, a threat actor may attempt to verify its integrity by checking its hash value (e.g., via `certutil -hashfile`).(Citation: Google Cloud Threat Intelligence COSCMICENERGY 2023) Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566) lures).(Citation: T1105: Trellix_search-ms) Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-43200
• CVE-2025-31201
• CVE-2025-31200
• CVE-2024-4978
• CVE-2024-23692
• CVE-2023-7101
• CVE-2023-48788
• CVE-2023-38831
• CVE-2023-38203
• CVE-2023-38035
• CVE-2023-3519
• CVE-2023-34362
• CVE-2023-29300
• CVE-2023-2868
• CVE-2023-27350
• CVE-2023-26360
• CVE-2023-22518
• CVE-2023-20867
• CVE-2022-30190
• CVE-2021-44515
• CVE-2021-35394
• CVE-2018-15982
• CVE-2017-11292
• CVE-2016-4117
• CVE-2016-1019
• CVE-2016-0984
• CVE-2015-8651
• CVE-2015-5119
• CVE-2013-0641
• CVE-2012-1535
• CVE-2012-0754
• CVE-2011-0611
• CVE-2010-2861
• CVE-2010-1297
• CVE-2010-0188

Detection coverage

SigmaHQ community rules

• Pandemic Registry Key (emerging-threats)
• Greenbug Espionage Group Indicators (emerging-threats)
• DarkGate - Autoit3.EXE File Creation By Uncommon Process (emerging-threats)
• Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE (emerging-threats)
• Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load (emerging-threats)
• Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access (emerging-threats)
• Potential Exploitation of RCE Vulnerability CVE-2025-33053 (emerging-threats)
• Axios NPM Compromise File Creation Indicators - Linux (emerging-threats)
• Axios NPM Compromise File Creation Indicators - MacOS (emerging-threats)
• Axios NPM Compromise Indicators - Linux (emerging-threats)
• Axios NPM Compromise Indicators - macOS (emerging-threats)
• Axios NPM Compromise Indicators - Windows (emerging-threats)
• Network Connection Initiated From Users\Public Folder (threat-hunting)
• File Download Via Curl.EXE (threat-hunting)
• Curl.EXE Execution (threat-hunting)
• Potential Data Exfiltration Via Curl.EXE (threat-hunting)
• Process Execution From WebDAV Share (threat-hunting)
• Remote File Copy (core)
• Wget Creating Files in Tmp Directory (core)
• Curl Usage on Linux (core)
• Suspicious Curl File Upload - Linux (core)
• Download File To Potentially Suspicious Directory Via Wget (core)
• Hidden Flag Set On File/Directory Via Chflags - MacOS (core)
• File Download Via Nscurl - MacOS (core)
• Potential In-Memory Download And Compile Of Payloads (core)

Showing 25 of 87 community rules — the full set is tagged attack.t1105 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.