Stage Capabilities
This detection identifies adversary activity consistent with staging capabilities on external infrastructure prior to targeting. Because T1608 is a pre-compromise technique conducted on adversary-controlled infrastructure, direct detection is not possible from victim telemetry alone. Instead, this detection focuses on the victim-side observable: endpoints or users connecting to known or suspected staging infrastructure and downloading executable artifacts. Detectable signals include connections to file-sharing platforms (Pastebin, transfer.sh, Discord CDN, GitHub raw), downloads of executable file types from these platforms, and use of living-off-the-land binaries (certutil, bitsadmin, curl) to retrieve staged payloads. Threat intelligence correlation against known staging domains and IPs supplements behavioral heuristics to surface high-confidence staging delivery events.
What is T1608 Stage Capabilities?
Stage Capabilities (T1608) maps to the Resource Development tactic — the adversary is trying to establish resources they can use to support operations in MITRE ATT&CK.
This page provides production-ready detection logic for Stage Capabilities, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Canonical reference
- https://attack.mitre.org/techniques/T1608/
let LookbackPeriod = 1d;
let SuspiciousStagingDomains = dynamic([
"pastebin.com", "paste.ee", "pastecode.io", "pasteio.com",
"transfer.sh", "filebin.net", "gofile.io", "temp.sh", "anonfiles.com",
"raw.githubusercontent.com", "gist.githubusercontent.com",
"dl.dropboxusercontent.com", "cdn.discordapp.com",
"storage.googleapis.com", "s3.amazonaws.com"
]);
let ExecutableExtensions = dynamic(["exe", "dll", "ps1", "vbs", "hta", "bat", "cmd", "msi", "jar", "bin", "scr", "pif"]);
let LolBins = dynamic([
"certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe",
"powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe"
]);
DeviceNetworkEvents
| where TimeGenerated >= ago(LookbackPeriod)
| where ActionType in ("ConnectionSuccess", "HttpConnectionInspected")
| extend ParsedUrl = parse_url(RemoteUrl)
| extend HostDomain = tostring(ParsedUrl["Host"])
| extend FilePath = tostring(ParsedUrl["Path"])
| extend FileExt = tolower(extract(@"\.([a-zA-Z0-9]{2,4})(?:\?|#|$)", 1, FilePath))
| where HostDomain has_any (SuspiciousStagingDomains)
and FileExt in (ExecutableExtensions)
| join kind=leftouter (
DeviceFileEvents
| where TimeGenerated >= ago(LookbackPeriod)
| where ActionType == "FileCreated"
| project DeviceId, FileCreatedTime = TimeGenerated, FileName, FolderPath,
SHA256, FileSize, FileInitiatingProcessId = InitiatingProcessId
) on DeviceId, $left.InitiatingProcessId == $right.FileInitiatingProcessId
| extend RiskScore = case(
HostDomain has "pastebin", 85,
HostDomain has "paste", 80,
HostDomain has "transfer.sh", 85,
HostDomain has "anonfiles", 90,
HostDomain has "gofile", 75,
HostDomain has "temp.sh", 80,
HostDomain has "discordapp", 60,
HostDomain has "dropbox", 50,
HostDomain has "raw.githubusercontent", 45,
HostDomain has "storage.googleapis", 55,
HostDomain has "s3.amazonaws", 50,
55
)
| extend LolBinUsed = iff(InitiatingProcessFileName in~ (LolBins), true, false)
| extend AdjustedRisk = RiskScore + iff(LolBinUsed, 15, 0)
| where AdjustedRisk >= 45
| project TimeGenerated, DeviceName, DeviceId,
StagingDomain = HostDomain,
RemoteUrl, RemoteIP, FileExt,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName, InitiatingProcessAccountDomain,
DroppedFile = FileName, DroppedFilePath = FolderPath, SHA256,
LolBinUsed, AdjustedRisk
| order by AdjustedRisk desc, TimeGenerated descDetects endpoint connections to known capability-staging platforms (paste sites, file-transfer services, cloud storage CDNs) where the retrieved URL path targets an executable file type. Scoring is adjusted upward when a living-off-the-land binary initiates the connection. Correlated file creation events from the same process provide SHA256 hashes for threat intelligence lookups.
Data Sources
Required Tables
False Positives
- Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows
- IT administrators using certutil or curl to download approved software packages from cloud storage buckets
- Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
- Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage
Sigma rule & cross-platform mapping
The detection logic for Stage Capabilities (T1608) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for T1608
References (8)
- https://attack.mitre.org/techniques/T1608/
- https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader/
- https://attack.mitre.org/techniques/T1608/001/
- https://attack.mitre.org/techniques/T1608/002/
- https://attack.mitre.org/techniques/T1608/003/
- https://attack.mitre.org/techniques/T1608/004/
- https://attack.mitre.org/techniques/T1608/005/
- https://attack.mitre.org/techniques/T1608/006/
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stage and Retrieve Benign Payload via Pastebin (Simulated)
Expected signal: Sysmon Event ID 1 (Process Create) for certutil.exe with -decode arguments. DeviceProcessEvents entry for certutil.exe. DeviceFileEvents showing file creation in %TEMP%. PowerShell ScriptBlock log (Event ID 4104) showing the staging simulation commands.
- Test 2Download Simulated Tool from GitHub Raw Content
Expected signal: Sysmon Event ID 3 (Network Connection) for powershell.exe connecting to raw.githubusercontent.com on port 443. Sysmon Event ID 11 (File Create) for the downloaded file. DeviceNetworkEvents in Defender for Endpoint showing powershell.exe initiating connection. DeviceFileEvents showing file write in TEMP.
- Test 3Simulate Drive-by Staging Infrastructure via Local Web Server
Expected signal: Linux audit logs showing curl process spawning with HTTP connection to 127.0.0.1:8888. Syslog entries for the Python HTTP server serving the request. File creation event for downloaded_payload.exe in /tmp. If auditd is enabled: syscall records for execve (python3, curl) and open/write for file creation.
Unlock Pro Content
Get the full detection package for T1608 including response playbook, investigation guide, and atomic red team tests.