T1105 Defined ATT&CK T1105 ↗

Ingress Tool Transfer

Process Create File — Transfer an attacker-controlled file from an external source to a target system under attacker control.

Ontological Definition

ActorProcess

→

ActionCreate

→

ArtifactFile

Detect

STP 3

No entity field is fully attacker-invariant. The best achievable detection targets unexpected executables written to disk from a network-facing process, using variable victim-side fields and requiring behavioural baselining — inherently STP 3.

Gate on

activity_id = Create

Detect file writes to sensitive locations where the writing process is a network-facing application. Combine file.path destination with process ancestry. Correlate with subsequent execution of the transferred file.

Mitigate

STP 3

Egress/ingress filtering on protocols addresses specific mediums (STP 3). Application control preventing execution of newly-arrived files is a complementary STP 5 control.

D3FEND controls

d3f:NetworkTrafficFiltering

No STP 5 mitigation exists. Detection is the primary defensive lever.

Application allowlisting preventing execution of files written to user-writable locations is the highest-STP control — it acts on the downstream effect of the transfer.

Respond

Created

A new artifact was created and may persist beyond this session. Delete it immediately. Check for related persistence entries, scheduled tasks, and outbound callbacks originating from it.

Attacker foothold

Transfer Processactor.process

C2 / Staging Serversrc_endpoint

Transferred Filefile

D3FEND response actions

d3f:ProcessTerminationd3f:FileEvictiond3f:NetworkIsolation

OCSF event model▼

Event class: Network File Activity (1008) · activity_id: Create

attacker-controlledpost-successvictimtainted

%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
  classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
  classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
  classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
  classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa

  EVENT(["Network File Activity\n· Create"])

  actor_process["Transfer Process\nactor.process\nd3f:Process"]:::attacker
  src_endpoint["C2 / Staging Server\nsrc_endpoint\nd3f:Host"]:::attacker
  transferred_file["Transferred File\nfile\nd3f:ExecutableFile"]:::attacker
  device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted

  EVENT --> actor_process
  EVENT --> src_endpoint
  EVENT --> transferred_file
  EVENT --> device

  actor_process -.->|"creates"| transferred_file

Transfer Process

actor.process·d3f:Process

attacker-controlled

actor.process.file.path attacker_controlled Transfer tool binary — Execution Medium, attacker-chosen

Countermeasures

d3f:ProcessTermination

C2 / Staging Server

src_endpoint·d3f:Host

attacker-controlled

src_endpoint.ip attacker_controlled Source IP — attacker-controlled, rotated per campaign

Countermeasures

d3f:NetworkTrafficFiltering

Transferred File

file·d3f:ExecutableFile

attacker-controlled

`file.path`	attacker_controlled	Destination path — attacker-chosen within writable locations
`file.hash`	attacker_controlled	File hash — attacker-controlled, changes with each build
`file.name`	attacker_controlled	File name — attacker-chosen, trivially renamed

Countermeasures

d3f:FileEviction

Host

device·d3f:Host

tainted

Countermeasures

d3f:NetworkIsolation

Definitional Sigma rule▼

Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.

title: Ingress Tool Transfer (T1105)
status: experimental
description: >
  Definitional rule — broad by design. Defines the technique independent of
  medium, tool, or attacker-controlled variables. Narrow with variable and
  attacker-controlled field conditions for operational use.
logsource:
  product: ocsf
  category: Network File Activity (1008)
detection:
  selection:
    activity_id: 'Create'
  condition: selection

title: Ingress Tool Transfer (T1105) — native Sigma
status: experimental
description: >
  Generated from OCSF definitional rule. Broad by design — defines the technique,
  not an operational alert. Targets standard Windows/Sysmon telemetry.
logsource:
  product: windows
  category: file_event
detection:
  # Maps to file creation (Sysmon EventID 11). Source network context (protocol, remote IP) requires correlating with network_connection events (EventID 3).
  # All events of this logsource type match the technique definition.
  # Add variable or attacker-controlled field conditions to narrow for operational use.
  filter_all: '*'
  condition: filter_all

Execution Medium–scoped detectionSTP 3 ceiling▼

Sample rules — not canonical definitions. Each constrains detection to a specific Execution Medium and has a hard STP 3 ceiling. The attacker switches Execution Medium; the rule misses. Compare with the definitional rule above.

STP 3

Gating on known download-tool names (curl, wget, Invoke-WebRequest) has a hard STP 3 ceiling. Evaded by using a custom binary, renaming the tool, or switching to SMB, FTP, or any other transfer Execution Medium.

title: Ingress Tool Transfer — HTTP/HTTPS medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects file creation by common download utilities
  over HTTP or HTTPS. Evaded by using a custom binary or switching to any other
  Execution Medium.
logsource:
  product: ocsf
  category: Network File Activity (1008)
detection:
  selection:
    activity_id: 'Create'
    protocol_name:
      - 'HTTP'
      - 'HTTPS'
    actor.process.file.name:
      - 'curl.exe'
      - 'wget.exe'
      - 'powershell.exe'
      - 'certutil.exe'
      - 'bitsadmin.exe'
  condition: selection

STP 3

File creation via inbound SMB from an external source is detectable by protocol and source CIDR, but has a hard STP 3 ceiling. Evaded by switching to HTTP, FTP, DNS tunneling, or any other Execution Medium.

title: Ingress Tool Transfer — SMB medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Detects file creation received over SMB from a
  non-RFC-1918 source. Evaded by switching to HTTP, FTP, or any other Execution Medium.
logsource:
  product: ocsf
  category: Network File Activity (1008)
detection:
  selection:
    activity_id: 'Create'
    protocol_name: 'SMB'
  filter_internal:
    src_endpoint.ip|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter_internal

STP 3

DNS-tunneled transfers produce anomalous query volumes but no file-creation event in standard DNS logs. Detection is heuristic-based (query volume per destination) rather than event-based, which is inherently STP 3. Covers TXT (most tools), CNAME (dnscat2), and NULL (iodine). A records intentionally excluded — too broad for production use.

title: Ingress Tool Transfer — DNS tunneling medium (sample)
status: experimental
description: >
  Sample — STP 3 ceiling. Heuristic rule detecting high-volume DNS queries using
  record types commonly used for tunneling (TXT, CNAME, NULL). Not an event-based
  rule; evaded by spreading queries, using A records, or switching protocol.
  A records intentionally excluded due to false-positive volume.
logsource:
  product: ocsf
  category: DNS Activity (4003)
detection:
  selection:
    activity_id: 'Query'
    query.type:
      - 'TXT'
      - 'CNAME'
      - 'NULL'
  timeframe: 5m
  condition: selection | count(query.hostname) by dst_endpoint.ip > 100

Seen in the wild1report▼

FSB's Matryoshka 2/3: GammaLoad ↗

Sekoia.io·2026-06-03

GammaLoad downloads an AES-encrypted payload from GitHub via bitsadmin.exe and writes it to an NTFS Alternate Data Stream — tool staging as a prerequisite to the persistence technique.