DET0060: Detect Ingress Tool Transfers via Behavioral Chain
This detection strategy is meant to help identify when an adversary brings tools or files from outside into a compromised environment, as represented by AT...
Analyst context for executives and security teams
This detection strategy is meant to help identify when an adversary brings tools or files from outside into a compromised environment, as represented by ATT&CK technique T1105, Ingress Tool Transfer. For leaders, the value is not just spotting a file download; it is confirming whether the SOC can connect a behavioral chain that may indicate an intruder is staging capability for follow-on actions. Because the ATT&CK object does not include official detection logic, teams should treat this as a validation prompt rather than a ready-to-deploy analytic.
Executive priority
Prioritize this as a control-assurance question: can the organization show evidence when new tools or files enter sensitive enterprise systems from external sources or command-and-control channels? This matters for incident response speed, containment decisions, audit evidence around monitoring, and resilience of Linux, macOS, ESXi, and network-device environments referenced by the related technique. Budget and control discussions should focus on telemetry availability, cross-system correlation, and gaps in non-Windows or infrastructure-device monitoring.
Technical view
The only explicit relationship is that DET0060 detects T1105, Ingress Tool Transfer, under command-and-control. SOC and detection teams should validate whether they can correlate externally sourced file transfer activity with surrounding behaviors such as suspicious network sessions, file creation or modification, process execution, and activity on platforms named in the related technique: ESXi, Linux, macOS, and network devices. Since no official detection text or platforms are specified for the detection strategy itself, any implementation should be locally defined, tested, and documented.
Likely telemetry
- Network connection and flow logs showing external inbound or outbound transfer paths
- Proxy, web gateway, FTP, and other protocol logs where available
- Endpoint file creation, modification, and execution telemetry
- Process execution telemetry around newly transferred files
- Command-and-control related network indicators or session metadata
Detection direction
- Validate correlation across network transfer evidence, file-write events, and subsequent execution or staging behavior rather than relying on single download events alone.
- Review blind spots in ESXi, Linux, macOS, and network-device logging, since these are the platforms supplied by the related technique.
- Tune for expected administrative software distribution, patching, backup, and automation workflows to reduce false positives.
- Use the relationship to T1105 to map this strategy into command-and-control detection coverage and incident triage playbooks.
- Document what telemetry is missing; the ATT&CK object provides no official detection logic, so coverage claims require local evidence.
Mitigation priorities
- Ensure approved software transfer and administration paths are defined and monitored.
- Restrict unnecessary external file transfer protocols and destinations where business processes allow.
- Improve logging and retention for file transfer, file creation, and process execution on the platforms in scope.
- Harden and monitor infrastructure and non-Windows systems that often have weaker endpoint visibility.
- Include ingress tool transfer scenarios in incident response exercises and detection validation.
Analyst notes and limits
DET0060 is a detection strategy object with no official description, detection text, tactics, or platforms specified. Its usable context comes from its name and its relationship to T1105, Ingress Tool Transfer. Treat this take as guidance for defensive validation and coverage planning, not as a MITRE-provided analytic specification.
The supplied object is sparse. It does not provide detection logic, data sources, false-positive guidance, severity, procedures, mitigations, or platform scope for the detection strategy itself. Local architecture, logging maturity, and approved transfer workflows are required to determine practical coverage.
Detect Ingress Tool Transfers via Behavioral Chain
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | This object detects Ingress Tool Transfer. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 63a923689955… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0060Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.