File Download

The subject uses APIs or integrated applications (e.g., Git clients, SaaS integrations, or custom scripts) to pull files from external systems. This includes automated retrieval from repositories, data platforms, or third-party services.

This behavior is often tied to legitimate workflows but may be repurposed to extract or stage data at scale, particularly where API access is insufficiently monitored.

The subject leverages the Windows Background Intelligent Transfer Service (BITS) to download files from external or internal sources. BITS is a native Windows component designed for asynchronous, throttled file transfers, commonly used by the operating system and enterprise update mechanisms. Its trusted status and ability to operate in the background make it an attractive method for covert file retrieval.

Because BITS jobs can persist across reboots and operate under legitimate system processes, their misuse can blend with normal system activity, reducing visibility and delaying detection.

The subject downloads files using a web browser (e.g., Chrome, Edge, Firefox) from external or internal web resources. This is the most common and lowest-friction method of file acquisition, typically requiring no additional tooling or elevated privileges.

Browser-based downloads are often logged via proxy, CASB, or endpoint telemetry, but may still present challenges in environments with encrypted traffic or limited content inspection. This behavior is frequently associated with early-stage preparation, including retrieval of tools, scripts, or datasets from public repositories, file-sharing platforms, or personal cloud storage.

The subject retrieves files by syncing with cloud storage platforms such as OneDrive, Google Drive, or Dropbox. Files may be selectively synced or fully mirrored to the endpoint.

This method blends with legitimate enterprise workflows and may evade traditional download detection mechanisms, especially where cloud services are sanctioned. It also enables large-scale or continuous ingestion of data with minimal user interaction.

The subject uses command-line tools such as curl, wget, or PowerShell (Invoke-WebRequest, Invoke-RestMethod) to retrieve files directly from remote sources. This method enables automation, scripting, and execution without user interface interaction. 

Command-line downloads often indicate a higher level of intent or technical capability and may bypass browser-based controls. They are commonly used to retrieve payloads, stage tooling, or integrate downloads into scripted workflows.

The subject retrieves files from email systems, typically via attachments or embedded download links within corporate or personal email accounts. This includes access through thick clients (e.g., Outlook) or webmail interfaces.

Email-based file retrieval is a common and low-friction method for introducing external content into the environment. Attachments may originate from external senders, personal accounts, or previously staged communications.

The subject retrieves files from enterprise or consumer messaging platforms such as Teams, Slack, or other collaboration tools. Files may be shared directly in chats, channels, or through integrated file storage components. 

Messaging platforms often operate as semi-trusted environments, particularly when enterprise-approved, allowing file transfers to blend with legitimate collaboration. Where personal or unsanctioned messaging platforms are used, visibility may be significantly reduced or absent.

The subject downloads files through remote session tools or file transfer mechanisms such as RDP drive mapping, SCP, SFTP, or remote desktop clipboard/file transfer features.