T1608 Stage Capabilities Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LookbackPeriod = 1d;
let SuspiciousStagingDomains = dynamic([
    "pastebin.com", "paste.ee", "pastecode.io", "pasteio.com",
    "transfer.sh", "filebin.net", "gofile.io", "temp.sh", "anonfiles.com",
    "raw.githubusercontent.com", "gist.githubusercontent.com",
    "dl.dropboxusercontent.com", "cdn.discordapp.com",
    "storage.googleapis.com", "s3.amazonaws.com"
]);
let ExecutableExtensions = dynamic(["exe", "dll", "ps1", "vbs", "hta", "bat", "cmd", "msi", "jar", "bin", "scr", "pif"]);
let LolBins = dynamic([
    "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe",
    "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe"
]);
DeviceNetworkEvents
| where TimeGenerated >= ago(LookbackPeriod)
| where ActionType in ("ConnectionSuccess", "HttpConnectionInspected")
| extend ParsedUrl = parse_url(RemoteUrl)
| extend HostDomain = tostring(ParsedUrl["Host"])
| extend FilePath = tostring(ParsedUrl["Path"])
| extend FileExt = tolower(extract(@"\.([a-zA-Z0-9]{2,4})(?:\?|#|$)", 1, FilePath))
| where HostDomain has_any (SuspiciousStagingDomains)
    and FileExt in (ExecutableExtensions)
| join kind=leftouter (
    DeviceFileEvents
    | where TimeGenerated >= ago(LookbackPeriod)
    | where ActionType == "FileCreated"
    | project DeviceId, FileCreatedTime = TimeGenerated, FileName, FolderPath,
        SHA256, FileSize, FileInitiatingProcessId = InitiatingProcessId
) on DeviceId, $left.InitiatingProcessId == $right.FileInitiatingProcessId
| extend RiskScore = case(
    HostDomain has "pastebin", 85,
    HostDomain has "paste", 80,
    HostDomain has "transfer.sh", 85,
    HostDomain has "anonfiles", 90,
    HostDomain has "gofile", 75,
    HostDomain has "temp.sh", 80,
    HostDomain has "discordapp", 60,
    HostDomain has "dropbox", 50,
    HostDomain has "raw.githubusercontent", 45,
    HostDomain has "storage.googleapis", 55,
    HostDomain has "s3.amazonaws", 50,
    55
)
| extend LolBinUsed = iff(InitiatingProcessFileName in~ (LolBins), true, false)
| extend AdjustedRisk = RiskScore + iff(LolBinUsed, 15, 0)
| where AdjustedRisk >= 45
| project TimeGenerated, DeviceName, DeviceId,
    StagingDomain = HostDomain,
    RemoteUrl, RemoteIP, FileExt,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    InitiatingProcessAccountName, InitiatingProcessAccountDomain,
    DroppedFile = FileName, DroppedFilePath = FolderPath, SHA256,
    LolBinUsed, AdjustedRisk
| order by AdjustedRisk desc, TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceFileEvents

False Positives

Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows
IT administrators using certutil or curl to download approved software packages from cloud storage buckets
Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="stream:http" OR sourcetype="proxy")
| eval staging_check=case(
    match(coalesce(dest_hostname, DestinationHostname, cs-host), "pastebin\.com|paste\.ee|pastecode\.io|pasteio\.com"), "pastebin",
    match(coalesce(dest_hostname, DestinationHostname, cs-host), "transfer\.sh|filebin\.net|gofile\.io|temp\.sh|anonfiles\.com"), "file-transfer",
    match(coalesce(dest_hostname, DestinationHostname, cs-host), "raw\.githubusercontent\.com|gist\.githubusercontent\.com"), "github-raw",
    match(coalesce(dest_hostname, DestinationHostname, cs-host), "cdn\.discordapp\.com"), "discord-cdn",
    match(coalesce(dest_hostname, DestinationHostname, cs-host), "dl\.dropboxusercontent\.com"), "dropbox-cdn",
    match(coalesce(dest_hostname, DestinationHostname, cs-host), "storage\.googleapis\.com|s3\.amazonaws\.com"), "cloud-storage",
    1=1, null()
  )
| where isnotnull(staging_check)
| eval request_path=coalesce(uri_path, cs-uri-stem, Uri, url)
| eval file_ext=lower(replace(mvindex(split(mvindex(split(request_path, "."), -1), "?"), 0), "[^a-z0-9]", ""))
| where match(file_ext, "^(exe|dll|ps1|vbs|hta|bat|cmd|msi|jar|bin|scr|pif)$")
| eval lolbin_used=if(match(lower(coalesce(process, Image, ParentImage, "")), "certutil|bitsadmin|curl|wget|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32|msiexec"), 1, 0)
| eval risk_score=case(
    staging_check="pastebin", 85,
    staging_check="file-transfer", 80,
    staging_check="discord-cdn", 60,
    staging_check="github-raw", 45,
    staging_check="dropbox-cdn", 50,
    staging_check="cloud-storage", 55,
    1=1, 40
  )
| eval adjusted_risk=risk_score + if(lolbin_used=1, 15, 0)
| where adjusted_risk >= 45
| eval src_host=coalesce(src_hostname, ComputerName, host)
| eval initiating_process=coalesce(process, Image, ParentImage)
| eval connection_url=coalesce(request_path, url, Uri)
| stats count as hit_count,
    values(connection_url) as staged_urls,
    values(initiating_process) as processes,
    max(adjusted_risk) as max_risk,
    earliest(_time) as first_seen,
    latest(_time) as last_seen
    by src_host, staging_check, file_ext, lolbin_used
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"),
    last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort -max_risk
| table first_seen, last_seen, src_host, staging_check, file_ext, staged_urls, processes, lolbin_used, max_risk, hit_count

high severity medium confidence

Data Sources

Sysmon Web Proxy Stream HTTP

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational stream:http proxy

False Positives

Development teams pulling build scripts or compiled artifacts from GitHub raw content as part of automated pipelines
IT operations downloading approved utilities from internal or vendor-managed S3/GCS buckets during provisioning
Security awareness platforms or sandbox environments intentionally downloading malware samples for analysis
Package managers (pip, npm, cargo) that route through cloud storage CDNs for dependency delivery

Elastic Security (EQL)

eql

any where process.name : ("curl", "wget", "powershell.exe", "certutil.exe", "bitsadmin.exe") and (process.command_line : ("*.bin", "*.exe", "*.dll", "*.ps1", "*.bat", "*.vbs", "*.hta") or network.direction : "egress" and destination.port in (80, 443) and process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe"))

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent Network Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-*

False Positives

Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows
IT administrators using certutil or curl to download approved software packages from cloud storage buckets
Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage

IBM QRadar (AQL)

sql

SELECT sourceip as "SourceIP", destinationip as "DestinationIP", UTF8(payload) as "URL", username as "Username", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%.exe%' OR UTF8(payload) ILIKE '%.dll%' OR UTF8(payload) ILIKE '%.bin%' THEN 80 WHEN UTF8(payload) ILIKE '%paste%' OR UTF8(payload) ILIKE '%transfer.sh%' OR UTF8(payload) ILIKE '%gofile%' THEN 75 WHEN UTF8(payload) ILIKE '%certutil%' OR UTF8(payload) ILIKE '%bitsadmin%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Proxy', 'Windows', 'Zscaler Internet Access') AND (eventid = 4688 OR destinationport IN (80, 443)) ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log Proxy Zscaler Internet Access

Required Tables

events

False Positives

Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows
IT administrators using certutil or curl to download approved software packages from cloud storage buckets
Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=proxy/access | json auto | where (process_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "powershell.exe") and (command_line matches "*.exe" or command_line matches "*.dll" or command_line matches "*.bin")) or (url matches "*transfer.sh*" or url matches "*paste.ee*" or url matches "*gofile.io*") | if(matches(process_name, "*certutil*") and matches(command_line, "*urlcache*"), "High", if(matches(url, "*transfer.sh*") or matches(url, "*gofile.io*"), "High", "Medium")) as RiskLevel | count by src_ip, process_name, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Windows Endpoint Events Proxy Access Logs

Required Tables

endpoint/windows proxy/access

False Positives

Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows
IT administrators using certutil or curl to download approved software packages from cloud storage buckets
Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage

Google Chronicle / SecOps

yaral

rule detect_stage_capabilities {
  meta:
    author = "Argus"
    description = "Detects staging of capabilities from external infrastructure"
    severity = "HIGH"
    technique = "T1608"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      re.regex($e.target.url, `\.(exe|dll|bin|ps1|bat|vbs|hta|sh|elf)($|\?)`) nocase or
      re.regex($e.target.hostname, `transfer\.sh|paste\.ee|gofile\.io|anonfiles|temp\.sh`) nocase
    )
    $e.principal.process.file.full_path != ""
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Web Proxy Google Workspace

Required Tables

NETWORK_HTTP PROCESS_LAUNCH FILE_CREATION

False Positives

Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows
IT administrators using certutil or curl to download approved software packages from cloud storage buckets
Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /certutil|bitsadmin|curl|wget/i
| CommandHistory = /urlcache|transfer|download|http/i
| case {
    CommandHistory = /\.exe|\.dll|\.bin/i | FileType := "Executable";
    CommandHistory = /\.ps1|\.bat|\.vbs/i | FileType := "Script";
    * | FileType := "Other"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, FileType])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor) NetworkConnectIP4 (Falcon sensor)

Required Tables

ProcessRollup2 NetworkConnectIP4 DetectionSummaryEvent

False Positives

Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows
IT administrators using certutil or curl to download approved software packages from cloud storage buckets
Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage

Stage Capabilities

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (6)

Same Tactic: Resource Development

Popular Detections