T1105

Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools may be pulled via the C2 channel or through alternate protocols using built-in OS utilities (certutil, bitsadmin, PowerShell Invoke-WebRequest, curl, wget, scp). Threat actors including HAFNIUM, Fox Kitten, and Cobalt Group have leveraged this technique to stage second-stage payloads, implants, and post-exploitation toolkits onto victim systems.

Microsoft Sentinel / Defender

kusto

let DownloadLolbins = dynamic(["certutil.exe", "bitsadmin.exe", "mshta.exe", "regsvr32.exe", "desktopimgdownldr.exe", "esentutl.exe", "expand.exe", "extrac32.exe", "finger.exe", "ftp.exe", "ieexec.exe", "makecab.exe", "mavinject.exe", "msiexec.exe", "replace.exe", "robocopy.exe", "wscript.exe", "xcopy.exe"]);
let SuspiciousExtensions = dynamic([".exe", ".dll", ".ps1", ".vbs", ".bat", ".cmd", ".hta", ".scr", ".bin", ".msi", ".jar"]);
let SuspiciousDownloadPaths = dynamic(["\\Temp\\", "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\", "\\Users\\Public\\", "\\ProgramData\\", "\\Windows\\Temp\\"]);
// Branch 1: LOLBin download activity
let LolbinDownloads = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (DownloadLolbins)
| where ProcessCommandLine has_any ("http://", "https://", "ftp://", "\\\\")
      or (FileName =~ "certutil.exe" and ProcessCommandLine has_any ("-urlcache", "-decode", "-decodehex", "-verifyctl"))
      or (FileName =~ "bitsadmin.exe" and ProcessCommandLine has_any ("/transfer", "/addfile", "/setnotifycmdline"))
      or (FileName =~ "esentutl.exe" and ProcessCommandLine has "/cp")
      or (FileName =~ "desktopimgdownldr.exe" and ProcessCommandLine has "--storagefile")
| extend DetectionSource = "LOLBin download"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionSource;
// Branch 2: PowerShell / WScript download cradles (distinct from T1059.001 focus)
let PsDownloads = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any (
    "Invoke-WebRequest", "IWR ", "Start-BitsTransfer",
    "Net.WebClient", "DownloadFile", "DownloadData",
    "WebRequest.Create", "HttpClient", "OpenRead",
    "wget ", "curl "
  )
| where ProcessCommandLine has_any ("http://", "https://", "ftp://")
| extend DetectionSource = "PowerShell/script download cradle"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionSource;
// Branch 3: Executable files created in suspicious paths following network activity
let ExecFilesInTempPaths = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType =~ "FileCreated"
| where FolderPath has_any (SuspiciousDownloadPaths)
| where FileName has_any (SuspiciousExtensions)
| where InitiatingProcessFileName in~ (DownloadLolbins)
      or InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "curl.exe", "wget.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| extend DetectionSource = "Executable dropped in temp path by download utility"
| project Timestamp, DeviceName, InitiatingProcessAccountName as AccountName,
         FileName, FolderPath, InitiatingProcessFileName,
         InitiatingProcessCommandLine, DetectionSource;
// Union all branches
LolbinDownloads
| union PsDownloads
| union ExecFilesInTempPaths
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Software deployment tools (SCCM, Intune, Chocolatey, winget) using certutil or bitsadmin to stage installers into Temp directories
IT administrators using certutil -urlcache or Invoke-WebRequest for legitimate patch management or inventory scripts
Developer toolchains (npm, pip, gradle) spawning curl or wget to download build dependencies to temp locations
Monitoring and backup agents (CrowdStrike, SolarWinds, Veeam) that periodically download update packages using BitsTransfer
Security scanning tools that use built-in download utilities for OSINT enrichment or threat intel feed ingestion

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(EventCode=1 OR EventCode=4688 OR EventCode=11)
| eval proc=lower(coalesce(Image, NewProcessName, ""))
| eval cmdline=lower(coalesce(CommandLine, ProcessCommandLine, ""))
| eval target_file=lower(coalesce(TargetFilename, ""))
// === Certutil Download ===
| eval certutil_dl=if(
    match(proc, "certutil\.exe") AND match(cmdline, "(-urlcache|-decode|-decodehex|-verifyctl)"),
    1, 0)
// === BitsAdmin Download ===
| eval bitsadmin_dl=if(
    match(proc, "bitsadmin\.exe") AND match(cmdline, "(\/transfer|\/addfile|\/setnotifycmdline)"),
    1, 0)
// === PowerShell/Script Download Cradle ===
| eval ps_cradle=if(
    match(proc, "(powershell|pwsh|wscript|cscript)\.exe") AND
    match(cmdline, "(invoke-webrequest|iwr\s|net\.webclient|downloadfile|downloaddata|downloadstring|start-bitstransfer|webclient|httpclient|webrequest\.create)") AND
    match(cmdline, "https?://|ftp://"),
    1, 0)
// === Other LOLBin Downloads ===
| eval lolbin_dl=if(
    match(proc, "(desktopimgdownldr|esentutl|finger|ftp|expand|extrac32|replace|ieexec|mshta)\.exe") AND
    match(cmdline, "https?://|ftp://"),
    1, 0)
// === Curl/Wget Native ===
| eval curl_wget=if(
    match(proc, "(curl|wget)\.exe") AND match(cmdline, "https?://|ftp://"),
    1, 0)
// === Executable Dropped in Temp by Download Utility (Sysmon Event 11) ===
| eval exec_in_temp=if(
    EventCode=11 AND
    match(target_file, "(\\.exe|\\.dll|\\.ps1|\\.vbs|\\.bat|\\.hta|\\.scr|\\.bin|\\.msi)$") AND
    match(target_file, "(\\temp\\|\\appdata\\|\\programdata\\|\\users\\public\\)") AND
    match(proc, "(certutil|bitsadmin|powershell|pwsh|curl|wget|mshta|wscript|cscript)\.exe"),
    1, 0)
| eval SuspicionScore = certutil_dl + bitsadmin_dl + ps_cradle + lolbin_dl + curl_wget + exec_in_temp
| where SuspicionScore > 0
| eval DetectionReasons=mvappend(
    if(certutil_dl=1, "certutil_download", null()),
    if(bitsadmin_dl=1, "bitsadmin_download", null()),
    if(ps_cradle=1, "ps_download_cradle", null()),
    if(lolbin_dl=1, "lolbin_download", null()),
    if(curl_wget=1, "curl_wget_download", null()),
    if(exec_in_temp=1, "exec_dropped_in_temp", null())
  )
| eval DetectionReasons=mvjoin(DetectionReasons, ", ")
| table _time, host, User, proc, cmdline, target_file, DetectionReasons, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation File: File Creation Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 11 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software deployment tools (SCCM, Intune, Chocolatey, winget) using certutil or bitsadmin to stage installers into Temp directories
IT administrators using certutil -urlcache or Invoke-WebRequest for legitimate patch management or inventory scripts
Developer toolchains (npm, pip, gradle) spawning curl or wget to download build dependencies to temp locations
Monitoring and backup agents (CrowdStrike, SolarWinds, Veeam) that periodically download update packages using BitsTransfer
Security scanning tools that use built-in download utilities for OSINT enrichment or threat intel feed ingestion

Elastic Security (EQL)

eql

any where
(
  event.category == "process" and event.type == "start" and
  (
    (
      process.name in~ ("certutil.exe", "bitsadmin.exe", "mshta.exe", "desktopimgdownldr.exe", "esentutl.exe", "expand.exe", "extrac32.exe", "finger.exe", "ftp.exe", "ieexec.exe", "wscript.exe", "xcopy.exe") and
      (
        process.command_line like~ "*http://*" or
        process.command_line like~ "*https://*" or
        process.command_line like~ "*ftp://*"
      )
    ) or
    (
      process.name == "certutil.exe" and
      (
        process.command_line like~ "*-urlcache*" or
        process.command_line like~ "*-decode*" or
        process.command_line like~ "*-decodehex*" or
        process.command_line like~ "*-verifyctl*"
      )
    ) or
    (
      process.name == "bitsadmin.exe" and
      (
        process.command_line like~ "*/transfer*" or
        process.command_line like~ "*/addfile*" or
        process.command_line like~ "*/setnotifycmdline*"
      )
    ) or
    (
      process.name in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe") and
      (
        process.command_line like~ "*Invoke-WebRequest*" or
        process.command_line like~ "*Net.WebClient*" or
        process.command_line like~ "*DownloadFile*" or
        process.command_line like~ "*DownloadData*" or
        process.command_line like~ "*Start-BitsTransfer*" or
        process.command_line like~ "*WebRequest.Create*" or
        process.command_line like~ "*HttpClient*"
      ) and
      (
        process.command_line like~ "*http://*" or
        process.command_line like~ "*https://*"
      )
    ) or
    (
      process.name in~ ("curl.exe", "wget.exe") and
      (
        process.command_line like~ "*http://*" or
        process.command_line like~ "*https://*"
      )
    )
  )
) or
(
  event.category == "file" and
  event.type == "creation" and
  (
    file.path like~ "*\\Temp\\*" or
    file.path like~ "*\\AppData\\Local\\Temp\\*" or
    file.path like~ "*\\AppData\\Roaming\\*" or
    file.path like~ "*\\Users\\Public\\*" or
    file.path like~ "*\\ProgramData\\*" or
    file.path like~ "*\\Windows\\Temp\\*"
  ) and
  file.extension in~ ("exe", "dll", "ps1", "vbs", "bat", "cmd", "hta", "scr", "bin", "msi") and
  process.name in~ ("certutil.exe", "bitsadmin.exe", "powershell.exe", "pwsh.exe", "curl.exe", "wget.exe", "wscript.exe", "cscript.exe", "mshta.exe")
)

high severity high confidence

Data Sources

Elastic Endpoint Security agent (logs-endpoint.events.process-*, logs-endpoint.events.file-*) Winlogbeat with Sysmon module (winlogbeat-*) — requires Sysmon EventIDs 1 and 11 Elastic Agent integration with Windows Security auditing (process command line logging enabled)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

SCCM, Intune, PDQ Deploy, or Chocolatey package managers invoking certutil.exe or bitsadmin.exe to pull signed installers from internal distribution points or vendor CDNs
CI/CD pipeline agents (Jenkins, GitHub Actions runner, TeamCity) running PowerShell scripts that use Invoke-WebRequest or curl.exe to download build artifacts from trusted artifact repositories such as Artifactory or Nexus
IT administrators executing approved patch management scripts that download Windows updates, agent installers, or security tooling from vendor HTTPS endpoints during scheduled maintenance windows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Target Filename" AS TargetFile,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-urlcache%' OR LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-verifyctl%')
      THEN 'certutil_download'
    WHEN LOWER("Process Name") LIKE '%bitsadmin.exe%'
      AND (LOWER("Command") LIKE '%/transfer%' OR LOWER("Command") LIKE '%/addfile%' OR LOWER("Command") LIKE '%/setnotifycmdline%')
      THEN 'bitsadmin_download'
    WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%' OR LOWER("Process Name") LIKE '%wscript.exe%' OR LOWER("Process Name") LIKE '%cscript.exe%')
      AND (LOWER("Command") LIKE '%invoke-webrequest%' OR LOWER("Command") LIKE '%net.webclient%' OR LOWER("Command") LIKE '%downloadfile%' OR LOWER("Command") LIKE '%start-bitstransfer%' OR LOWER("Command") LIKE '%httpclient%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%')
      THEN 'ps_download_cradle'
    WHEN (LOWER("Process Name") LIKE '%curl.exe%' OR LOWER("Process Name") LIKE '%wget.exe%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%')
      THEN 'curl_wget_download'
    WHEN (LOWER("Process Name") LIKE '%desktopimgdownldr.exe%' OR LOWER("Process Name") LIKE '%esentutl.exe%' OR LOWER("Process Name") LIKE '%expand.exe%' OR LOWER("Process Name") LIKE '%extrac32.exe%' OR LOWER("Process Name") LIKE '%finger.exe%' OR LOWER("Process Name") LIKE '%ftp.exe%' OR LOWER("Process Name") LIKE '%ieexec.exe%' OR LOWER("Process Name") LIKE '%mshta.exe%' OR LOWER("Process Name") LIKE '%xcopy.exe%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%' OR LOWER("Command") LIKE '%ftp://%')
      THEN 'lolbin_download'
    ELSE 'exec_dropped_temp'
  END AS DetectionType
FROM events
WHERE
  (
    (
      LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-urlcache%' OR LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-verifyctl%')
    )
    OR
    (
      LOWER("Process Name") LIKE '%bitsadmin.exe%'
      AND (LOWER("Command") LIKE '%/transfer%' OR LOWER("Command") LIKE '%/addfile%' OR LOWER("Command") LIKE '%/setnotifycmdline%')
    )
    OR
    (
      (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%' OR LOWER("Process Name") LIKE '%wscript.exe%' OR LOWER("Process Name") LIKE '%cscript.exe%')
      AND (LOWER("Command") LIKE '%invoke-webrequest%' OR LOWER("Command") LIKE '%net.webclient%' OR LOWER("Command") LIKE '%downloadfile%' OR LOWER("Command") LIKE '%downloaddata%' OR LOWER("Command") LIKE '%start-bitstransfer%' OR LOWER("Command") LIKE '%webclient%' OR LOWER("Command") LIKE '%httpclient%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%')
    )
    OR
    (
      (LOWER("Process Name") LIKE '%curl.exe%' OR LOWER("Process Name") LIKE '%wget.exe%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%')
    )
    OR
    (
      (LOWER("Process Name") LIKE '%desktopimgdownldr.exe%' OR LOWER("Process Name") LIKE '%esentutl.exe%' OR LOWER("Process Name") LIKE '%expand.exe%' OR LOWER("Process Name") LIKE '%extrac32.exe%' OR LOWER("Process Name") LIKE '%finger.exe%' OR LOWER("Process Name") LIKE '%ftp.exe%' OR LOWER("Process Name") LIKE '%ieexec.exe%' OR LOWER("Process Name") LIKE '%mshta.exe%' OR LOWER("Process Name") LIKE '%xcopy.exe%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%' OR LOWER("Command") LIKE '%ftp://%')
    )
    OR
    (
      (LOWER("Target Filename") LIKE '%\\temp\\%' OR LOWER("Target Filename") LIKE '%\\appdata\\%' OR LOWER("Target Filename") LIKE '%\\programdata\\%' OR LOWER("Target Filename") LIKE '%\\users\\public\\%')
      AND (LOWER("Target Filename") LIKE '%.exe' OR LOWER("Target Filename") LIKE '%.dll' OR LOWER("Target Filename") LIKE '%.ps1' OR LOWER("Target Filename") LIKE '%.vbs' OR LOWER("Target Filename") LIKE '%.bat' OR LOWER("Target Filename") LIKE '%.hta')
      AND (LOWER("Process Name") LIKE '%certutil.exe%' OR LOWER("Process Name") LIKE '%bitsadmin.exe%' OR LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%curl.exe%' OR LOWER("Process Name") LIKE '%wget.exe%' OR LOWER("Process Name") LIKE '%mshta.exe%')
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log DSM (Event 4688 with process command line auditing enabled) Sysmon DSM (EventID 1 Process Create, EventID 11 File Create) via Windows Event Log forwarding Windows endpoint agents forwarding to QRadar via WinCollect or syslog

Required Tables

events (QRadar normalized event table) Custom properties: 'Process Name', 'Command', 'Target Filename' — must be defined and extracted in QRadar DSM editor for Windows and Sysmon log sources

False Positives

Enterprise endpoint management platforms (Tanium, BigFix, Ansible) that use PowerShell WebClient methods to distribute software packages to managed endpoints
Security products performing automated threat intelligence downloads, agent self-updates, or signature refreshes via certutil or BITS — common for CrowdStrike, Carbon Black, and Symantec agents
Developer workstations where npm, pip, or other package managers invoke PowerShell download cradles as part of their install process, particularly on systems with restrictive execution policies that require base64-encoded commands

Sumo Logic CSE

sql

(_sourceCategory=*Windows* OR _sourceCategory=*Sysmon* OR _sourceCategory=*wineventlog*)
| parse field=_raw "Image: *\r\n" as Image nodrop
| parse field=_raw "CommandLine: *\r\n" as CommandLine nodrop
| parse field=_raw "NewProcessName: *\r\n" as NewProcessName nodrop
| parse field=_raw "TargetFilename: *\r\n" as TargetFilename nodrop
| parse field=_raw "EventID: *\r\n" as ParsedEventID nodrop
| parse field=_raw "EventCode: *\r\n" as ParsedEventCode nodrop
| eval EventID = if (!isNull(ParsedEventID), ParsedEventID, if (!isNull(ParsedEventCode), ParsedEventCode, ""))
| eval ProcessName = toLowerCase(if (!isNull(Image), Image, if (!isNull(NewProcessName), NewProcessName, "")))
| eval CmdLine = toLowerCase(if (!isNull(CommandLine), CommandLine, ""))
| eval TargetFile = toLowerCase(if (!isNull(TargetFilename), Targetfilename, ""))
| where
  (
    (ProcessName contains "certutil.exe" and (CmdLine contains "-urlcache" or CmdLine contains "-decode" or CmdLine contains "-decodehex" or CmdLine contains "-verifyctl"))
    or
    (ProcessName contains "bitsadmin.exe" and (CmdLine contains "/transfer" or CmdLine contains "/addfile" or CmdLine contains "/setnotifycmdline"))
    or
    (
      (ProcessName contains "powershell.exe" or ProcessName contains "pwsh.exe" or ProcessName contains "wscript.exe" or ProcessName contains "cscript.exe")
      and (CmdLine contains "invoke-webrequest" or CmdLine contains "net.webclient" or CmdLine contains "downloadfile" or CmdLine contains "downloaddata" or CmdLine contains "start-bitstransfer" or CmdLine contains "webclient" or CmdLine contains "httpclient" or CmdLine contains "webrequest.create")
      and (CmdLine contains "http://" or CmdLine contains "https://")
    )
    or
    (
      (ProcessName contains "curl.exe" or ProcessName contains "wget.exe")
      and (CmdLine contains "http://" or CmdLine contains "https://")
    )
    or
    (
      (ProcessName contains "desktopimgdownldr.exe" or ProcessName contains "esentutl.exe" or ProcessName contains "expand.exe" or ProcessName contains "extrac32.exe" or ProcessName contains "finger.exe" or ProcessName contains "ftp.exe" or ProcessName contains "ieexec.exe" or ProcessName contains "mshta.exe" or ProcessName contains "xcopy.exe")
      and (CmdLine contains "http://" or CmdLine contains "https://" or CmdLine contains "ftp://")
    )
    or
    (
      (EventID = "11" or EventID = "4663")
      and (TargetFile contains "\\temp\\" or TargetFile contains "\\appdata\\" or TargetFile contains "\\programdata\\" or TargetFile contains "\\users\\public\\" or TargetFile contains "\\windows\\temp\\")
      and (TargetFile matches "*.exe" or TargetFile matches "*.dll" or TargetFile matches "*.ps1" or TargetFile matches "*.vbs" or TargetFile matches "*.bat" or TargetFile matches "*.hta" or TargetFile matches "*.scr" or TargetFile matches "*.msi")
      and (ProcessName contains "certutil.exe" or ProcessName contains "bitsadmin.exe" or ProcessName contains "powershell.exe" or ProcessName contains "pwsh.exe" or ProcessName contains "curl.exe" or ProcessName contains "wget.exe" or ProcessName contains "mshta.exe" or ProcessName contains "wscript.exe" or ProcessName contains "cscript.exe")
    )
  )
| eval DetectionType = if (ProcessName contains "certutil.exe" and (CmdLine contains "-urlcache" or CmdLine contains "-decode"), "certutil_download",
    if (ProcessName contains "bitsadmin.exe" and (CmdLine contains "/transfer" or CmdLine contains "/addfile"), "bitsadmin_download",
    if ((ProcessName contains "powershell.exe" or ProcessName contains "pwsh.exe") and (CmdLine contains "invoke-webrequest" or CmdLine contains "downloadfile" or CmdLine contains "net.webclient" or CmdLine contains "start-bitstransfer"), "ps_download_cradle",
    if ((ProcessName contains "curl.exe" or ProcessName contains "wget.exe"), "curl_wget_download",
    if ((EventID = "11"), "exec_dropped_temp", "lolbin_download")))))
| fields _messageTime, _sourceHost, EventID, ProcessName, CmdLine, TargetFile, DetectionType
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Windows Source (Windows Event Log collector) with Event 4688 and command line auditing enabled Sysmon logs forwarded via Sumo Logic Windows Event Source — EventID 1 (Process Create) and EventID 11 (File Create) Sumo Logic Installed Collector on Windows endpoints forwarding Security and Microsoft-Windows-Sysmon/Operational channels

Required Tables

_sourceCategory matching *Windows*, *Sysmon*, or *wineventlog* Sysmon EventID 1 for process creation with command line Sysmon EventID 11 for file creation events Windows Security Event 4688 with Process Command Line auditing policy enabled

False Positives

Software distribution tools such as SCCM client or WinGet invoking certutil for package verification or bitsadmin for background downloads from Microsoft Update servers or internal WSUS/MECM distribution points
Security scanning or vulnerability assessment tools that use PowerShell WebClient methods to check for agent updates or download scanner signatures — particularly common for Tenable, Qualys, and Rapid7 agents at startup
DevOps tooling on developer machines where PowerShell profile scripts or IDE extensions use Invoke-WebRequest to fetch project templates, nuget packages, or SDK components from public package registries

Google Chronicle / SecOps

yaral

rule t1105_ingress_tool_transfer {
  meta:
    author = "df00tech"
    description = "Detects ingress tool transfer via LOLBin download utilities, PowerShell download cradles, and executables dropped in suspicious temporary paths by known download utilities. Covers certutil, bitsadmin, BITS, PowerShell WebClient methods, curl, wget, mshta, wscript, and related LOLBins."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1105"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1105/"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"
    yara_version = "YL2.0"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and
      (
        (
          re.regex($e.target.process.file.full_path, `(?i)(certutil|bitsadmin|mshta|desktopimgdownldr|esentutl|expand|extrac32|finger|ftp|ieexec|wscript|xcopy)\.exe$`)
          and re.regex($e.target.process.command_line, `(?i)(https?://|ftp://)`)
        )
        or
        (
          re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`)
          and re.regex($e.target.process.command_line, `(?i)(-urlcache|-decode|-decodehex|-verifyctl)`)
        )
        or
        (
          re.regex($e.target.process.file.full_path, `(?i)bitsadmin\.exe$`)
          and re.regex($e.target.process.command_line, `(?i)(/transfer|/addfile|/setnotifycmdline)`)
        )
        or
        (
          re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh|wscript|cscript)\.exe$`)
          and re.regex($e.target.process.command_line, `(?i)(invoke-webrequest|net\.webclient|downloadfile|downloaddata|downloadstring|start-bitstransfer|webclient|httpclient|webrequest\.create|openread)`)
          and re.regex($e.target.process.command_line, `(?i)https?://`)
        )
        or
        (
          re.regex($e.target.process.file.full_path, `(?i)(curl|wget)\.exe$`)
          and re.regex($e.target.process.command_line, `(?i)https?://`)
        )
      )
    )
    or
    (
      $e.metadata.event_type = "FILE_CREATION"
      and re.regex($e.target.file.full_path, `(?i)(\\temp\\|\\appdata\\local\\temp\\|\\appdata\\roaming\\|\\users\\public\\|\\programdata\\|\\windows\\temp\\)`)
      and re.regex($e.target.file.full_path, `(?i)\.(exe|dll|ps1|vbs|bat|cmd|hta|scr|bin|msi)$`)
      and re.regex($e.principal.process.file.full_path, `(?i)(certutil|bitsadmin|powershell|pwsh|curl|wget|mshta|wscript|cscript)\.exe$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle ingestion from Windows endpoints via Google Chronicle agent or Bindplane Sysmon logs forwarded to Chronicle — EventID 1 (PROCESS_LAUNCH) and EventID 11 (FILE_CREATION) normalized to UDM Microsoft Defender for Endpoint logs ingested into Chronicle via the MDE Chronicle connector

Required Tables

UDM event type PROCESS_LAUNCH (mapped from Sysmon EventID 1 or Windows Security 4688) UDM event type FILE_CREATION (mapped from Sysmon EventID 11) UDM fields: target.process.file.full_path, target.process.command_line, target.file.full_path, principal.process.file.full_path

False Positives

Legitimate enterprise software deployment — SCCM, Intune, or Ansible calling certutil for certificate operations or bitsadmin for background transfer of approved software packages from internal HTTPS endpoints
Security tooling self-updates where agents such as Splunk UF, Elastic Agent, or CrowdStrike Falcon use PowerShell or curl to pull updated configurations or signatures from vendor cloud infrastructure
Software development workflows on engineer workstations where build tools, language package managers, or IDE plugins use PowerShell WebClient or curl to fetch dependencies from npm, PyPI, or NuGet registries over HTTPS

CrowdStrike LogScale (CQL)

cql

// Branch 1: LOLBin and PowerShell download activity (ProcessRollup2)
(
  #event_simpleName = ProcessRollup2
  OR #event_simpleName = SyntheticProcessRollup2
)
| case {
    FileName = /(?i)^certutil\.exe$/ AND CommandLine = /(?i)(-urlcache|-decode|-decodehex|-verifyctl)/
    | DetectionType := "certutil_download" ;

    FileName = /(?i)^bitsadmin\.exe$/ AND CommandLine = /(?i)(\/transfer|\/addfile|\/setnotifycmdline)/
    | DetectionType := "bitsadmin_download" ;

    FileName = /(?i)^(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(invoke-webrequest|net\.webclient|downloadfile|downloaddata|downloadstring|start-bitstransfer|webclient|httpclient|webrequest\.create)/ AND CommandLine = /(?i)https?:\/\//
    | DetectionType := "ps_download_cradle" ;

    FileName = /(?i)^(curl|wget)\.exe$/ AND CommandLine = /(?i)https?:\/\//
    | DetectionType := "curl_wget_download" ;

    FileName = /(?i)^(wscript|cscript)\.exe$/ AND CommandLine = /(?i)(https?:\/\/|ftp:\/\/)/
    | DetectionType := "wscript_download" ;

    FileName = /(?i)^(desktopimgdownldr|esentutl|expand|extrac32|finger|ftp|ieexec|mshta|xcopy)\.exe$/ AND CommandLine = /(?i)(https?:\/\/|ftp:\/\/)/
    | DetectionType := "lolbin_download" ;

    *
    | drop()
  }
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionType])
| sort(field=_time, order=desc)

// Branch 2: Executable files written to suspicious paths by download utilities (PeFileWritten)
// Run separately and union with Branch 1 results as needed
// #event_simpleName = PeFileWritten OR #event_simpleName = SuspiciousWriteOfExecutable
// | TargetFileName = /(?i)(\\temp\\|\\appdata\\|\\programdata\\|\\users\\public\\)/
// | TargetFileName = /(?i)\.(exe|dll|ps1|vbs|bat|hta|scr|msi)$/
// | ImageFileName = /(?i)(certutil|bitsadmin|powershell|pwsh|curl|wget|mshta|wscript|cscript)\.exe$/
// | table([_time, ComputerName, UserName, ImageFileName, TargetFileName])

high severity high confidence

Data Sources

CrowdStrike Falcon sensor (ProcessRollup2, SyntheticProcessRollup2 event types) — requires Falcon Insight EDR Falcon sensor telemetry for file write events (PeFileWritten, SuspiciousWriteOfExecutable) for the file drop branch LogScale (Humio) SIEM with Falcon Insight data connector configured

Required Tables

#event_simpleName = ProcessRollup2 (Falcon process execution telemetry) #event_simpleName = SyntheticProcessRollup2 (synthetic process events) #event_simpleName = PeFileWritten (PE file creation events — for file drop branch) Falcon fields: FileName, CommandLine, ComputerName, UserName, ParentBaseFileName, ImageFileName, TargetFileName

False Positives

Falcon sensor itself and CrowdStrike update infrastructure may trigger on certutil or bitsadmin if the endpoint's existing software deployment tooling uses these utilities to stage approved installers during patch cycles
Software development tools on engineer endpoints — particularly .NET SDK, NuGet CLI, or PowerShell module installation scripts that call Invoke-WebRequest or DownloadFile to fetch packages from public registries such as PowerShell Gallery or NuGet.org
Remote monitoring and management (RMM) tools such as ConnectWise Automate, Kaseya VSA, or Datto RMM that use PowerShell scripts with WebClient or BITS transfer to deploy scripts and agents to managed endpoints — activity that may appear identical to adversarial download cradles

Last updated: 2026-04-17 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1105 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Ingress Tool Transfer

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Command and Control

Popular Detections