However, we’ll start with a brief examination of non-native software that adversaries use to transfer tools—hopefully setting the stage for why native tooling is an appealing choice. Almost all command and control (C2) frameworks provide support for uploading and downloading files. Despite this, adversaries frequently choose to abuse native binaries to retrieve additional tools and payloads. There are many nuanced reasons why an adversary might choose a system binary over a C2 functionality, but it mostly boils down to blending in. For example, while it might be highly suspicious for a C2-related process to reach out to an external network address and pull down a binary, it could be completely normal for a legitimate system process to do the same.

Beyond C2 tools, it’s not unusual to see adversaries using remote monitoring and management (RMM) tools to perform ingress tool transfer. RMM software can be problematic for an adversary though, as defenders can simply block the use of tools that aren’t permitted in their environment, which is precisely why adversaries often resort to renaming such tools.

PowerShell is, by a wide margin, the system binary that we detect adversaries leveraging most frequently for ingress tool transfer.

Adversaries also often abuse certutil, a command-line utility that is used to display certification authority (CA) configuration information, configure Certificate Services, and back up and restore CA components. Adversaries most often use it to download additional payloads. It can also be leveraged to decode/encode data as well as interact with alternate data streams (ADS). Similar to certutil, certreq is also a built-in Windows binary that interacts with certificates from a Certificate Authority. It also has the ability to download and upload files which adversaries have been taking advantage of to move their tools around.

Another native system binary commonly abused by adversaries is BITSAdmin. BITSAdmin is a utility that manages BITS jobs (Windows Background Intelligent Transfer Service), primarily for the purpose of downloading Windows Updates, but adversaries use it to download arbitrary files.

The LOLBAS project is a great resource and searchable database that’s mapped to ATT&CK and documents native binaries, scripts, and libraries that adversaries abuse. You can examine a full list of binaries that are used for ingress tool transfer here.

Numerous threats reportedly perform Ingress Tool Transfer into cloud-hosted systems to download additional payloads, lateral movement scripts, and more.

Associated threats

• NetSupport Manager
• Scarlet Goldfinch
• HijackLoader
• Koi

There are countless legitimate reasons for transferring tools into an environment, making it difficult to offer one-size-fits-all advice on how defenders can mitigate ingress tool transfer. However, application control policies that limit the use of tools that adversaries commonly use for ingress tool transfer (e.g., remote management tools) may help. Given that Ingress Tool Transfer often co-occurs with PowerShell, consider reviewing and implementing the mitigation guidance included in the PowerShell section of this report. You can also consider leveraging the Windows host firewall to block outbound network connections for commonly abused LOLbins.

Note: The visibility sections in this report are mapped to MITRE ATT&CK data sources and components.

Nearly any attack involves some level of ingress tool transfer, so it’s critically important that you have the telemetry necessary to observe and detect it. Luckily, there’s no shortage of data sources offering visibility into this technique, and many of the data sources below can be drawn out of EDR and other widely available security tools.

Process monitoring

Since ingress tool transfer typically involves the use of system processes, process monitoring is among the most important data sources for detecting it. However, unless you’re looking for known malicious or banned processes, you’ll want to build your detection analytics such that process names are supplemented by command-line arguments, file modifications, DLL module loads, and network connections.

Command monitoring

As is almost always the case, command-line arguments are among the best telemetry for observing and detecting adversaries loading malicious tools into your environment, particularly when used in concert with process monitoring and other data sources. Beyond detection, command lines may also serve as a pivot point for investigation, especially in cases where something like a PowerShell or cURL command line includes URLs used to host remote content for download and execution.

Network connections

Network connection telemetry is a great source of enrichment data for detecting ingress tool transfer. While network connections offer fleeting value on their own, they’re extremely valuable in combination with process and command-line monitoring. Almost by definition, if you’re dealing with an adversary who is performing ingress tool transfer, an external network connection is happening somewhere.

File creation

Ingress Tool Transfer nearly always involves the creation of a file as adversaries move malicious tools into an environment. As such, file creation events make for a good supplementary data source for detection, albeit one that can be extremely noisy.

Note: The collection sections of this report showcase specific log sources from Windows events, Sysmon, and elsewhere that you can use to collect relevant security information.

Sysmon Event ID 1: Process creation

The process creation event offers a wealth of information that security teams can use for detection, specifically via the following fields:

• ProcessId
• ProcessGuid
• Image
• Commandline
• CurrentDirectory
• ParentProcessGuid
• ParentProcessId
• ParentCommandLine

As is the case with a commercial EDR product, we can leverage the above to identify what process executed, the process that spawned it, and the commands or arguments that executed in conjunction with it.

Sysmon Event ID 3: Network connection

Though they are disabled by default, network connection events offer a variety of log data that you can use to investigate or detect suspicious ingress tool transfers. While network connections aren’t particularly useful on their own, they’re useful in conjunction with other data, and Event ID 3 collects all of the following:

• ProcessGuid
• ProcessId
• Image
• Protocol
• SourceIP
• DestinationIP
• DestinationHostname
• DestinationPort

Sysmon Event ID 11: File create

By definition, ingress tool transfers require the creation of files, and file creation events are populated whenever a file is created or overwritten. Since processes constantly create temp files during normal activity, Event ID 11 can be incredibly noisy without thoughtful tuning. However, you can use Event ID 11 to track the file creation history of processes that adversaries frequently abuse (like those listed in the analysis section above). Consider limiting collection to oft-abused processes, directories where adversaries tend to drop malware (AppData\Temp or C:\Users\Public, for example), or specific file extension types like image files, executables, DLLs, and scripts. Event fields of interest are:

• ProcessId
• ProcessGuid
• Image
• TargetFileName

Sysmon Event ID 22: DNS event

DNS events can provide useful visibility into systems that may be communicating with C2 servers. According to Microsoft, this event will create a log whenever a process executes a DNS query, regardless of whether it succeeds or fails, cached or not. Logs from Event ID 22 offer additional network telemetry that can be incredibly useful in conjunction with the Event ID 3 logs listed above:

• ProcessGuid
• ProcessId
• QueryName
• QueryStatus
• QueryResult
• Image

Windows Security Event ID 4688: Process Creation

Process Creation (4688) events with command-line argument logging enabled is a great native source of telemetry for observing ingress tool transfer. A good understanding of baseline process relationships in your environment will help combat potential false positive alerts.

Endpoint detection and response (EDR) tools

EDR tools are perhaps the best starting point for Ingress Tool Transfer, as most of them offer rich visibility into the process starts, command lines, network connections, and file creation needed to observe relevant malicious activity.

We have 119 distinct detection analytics mapped to Ingress Tool Transfer, offering defense in depth against this technique. Some of these analytics look for high-impact, low-prevalence threats and rarely generate events, but there are a few relatively simple ones that can offer great value with little effort.

Note: These detection analytics may require tuning.

Suspicious PowerShell commands

As we explained in the analysis section, adversaries leverage PowerShell for ingress tool transfer more than any other tool. As such, monitoring for PowerShell process execution in conjunction with suspicious PowerShell commands in the command line can be a fruitful way to detect malicious ingress tool transfers. The following pseudo-analytic is derived from several Red Canary detectors that collectively triggered on hundreds of confirmed malicious, high-severity threats in 2024 alone:

If you want to test your ability to operationalize the above detection analytic, try running either of the following Atomic Red Team tests:

• T1105 atomic test #10: PowerShell Download
• T1105 atomic test #15: File Download via PowerShell

CertUtil downloading malicious binaries

Adversaries often bypass security controls by using the Windows Certificate Utility (certutil.exe) to download malicious code. In general, they leverage certutil.exe along with the -split command-line option.

If you want to test your ability to operationalize the above detection analytic, try running either of the following Atomic Red Team tests:

• T1105: atomic test #7: CertUtil download (urlcache)
• T1105 atomic test #8: CertUtil download (verifyctl)

BITSAdmin downloading malicious binaries

As we explained in the analysis section, it’s not unusual for adversaries, including ones who peddle ransomware, to use BITSAdmin to download arbitrary files from the internet in an effort to evade application blocklisting. The following analytic will look for the execution of bitsadmin.exe with command options that suggest a file is being downloaded:

If you want to test your ability to operationalize the above detection analytic, try running the following Atomic Red Team test:

• T1105 atomic test #9: BITSAdmin BITS Download

Certreq downloading malicious binaries

Just like certutil, certreq can also be abused by adversaries to download and upload data. The following analytic will look for the execution of certreq.exe with command options that suggest a file is being downloaded:

If you want to test your ability to operationalize the above detection analytic, try running the following Atomic Red Team test:

• T1105 atomic test #25: certreq download

Weeding out false positives

The majority of the telemetry patterns above can also manifest in development pipelines and system management tools. Given this, baselining is highly recommended due to the volume some data sources will provide. Additionally, you may want to do an environment audit and figure out if these potentially suspicious behaviors are being employed by any legitimate tools or people in your environment. Once you understand legitimate use cases, you can tune those out as exceptions and focus your detection efforts on seeking out behaviors that are more likely to represent malicious instances of ingress tool transfer.

Start testing your defenses against Ingress Tool Transfer using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.

Getting started

View atomic tests for T1105: Ingress Tool Transfer. In most environments, these should be sufficient to generate a useful signal for defenders.

Run this test on a Windows system using PowerShell:

What to expect

The above test will download a file to LICENSE.txt and display it with notepad.exe. For safety purposes, the command only downloads and displays text rather than downloading and executing executable content.

Useful telemetry will include: