T1608.001 Upload Malware Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousStagingDomains = dynamic([
    // IPFS gateways
    "ipfs.io", "cloudflare-ipfs.com", "gateway.ipfs.io", "dweb.link",
    "ipfs.fleek.co", "nftstorage.link", "w3s.link",
    // Discord CDN (widely abused for malware staging)
    "cdn.discordapp.com", "media.discordapp.net", "attachments.discordapp.net",
    // Paste sites
    "pastebin.com", "paste.ee", "hastebin.com", "ghostbin.co", "controlc.com",
    "rentry.co", "pastecode.io",
    // Anonymous file sharing
    "transfer.sh", "file.io", "gofile.io", "anonfiles.com", "pixeldrain.com",
    "0x0.st", "catbox.moe", "litterbox.catbox.moe",
    // Telegram CDN
    "t.me", "cdn1.telegram-cdn.org", "cdn4.telegram-cdn.org"
]);
let SuspiciousExtensions = dynamic([
    ".exe", ".dll", ".ps1", ".vbs", ".bat", ".cmd", ".hta",
    ".msi", ".lnk", ".scr", ".pif", ".cpl", ".jar"
]);
let DownloadLOLBins = dynamic([
    "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe",
    "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe",
    "msiexec.exe", "esentutl.exe", "desktopimgdownldr.exe"
]);
// Branch 1: LOLBin or scripting engine downloading from suspicious staging platforms
let StagingDomainDownloads = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "HttpConnectionInspected")
| where RemoteUrl has_any (SuspiciousStagingDomains)
| where InitiatingProcessFileName has_any (DownloadLOLBins)
    or InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionBranch="LOLBin_StagingDomain";
// Branch 2: Executable files written to high-risk paths by download processes
let SuspiciousFileDrops = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where InitiatingProcessFileName has_any (DownloadLOLBins)
    or InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe",
       "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe")
| where FolderPath has_any (
    "\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\",
    "\\AppData\\Roaming\\", "\\ProgramData\\", "\\Users\\Public\\"
  )
| where FileName has_any (SuspiciousExtensions)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionBranch="SuspiciousFileDrop";
// Branch 3: PowerShell or scripting engines contacting IPFS or blockchain RPC endpoints
let IPFSBlockchainAccess = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any ("ipfs.io", "cloudflare-ipfs.com", "dweb.link", "w3s.link")
    or RemotePort in (8545, 8546, 30303)  // Ethereum RPC / P2P ports
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe",
       "wscript.exe", "cscript.exe", "mshta.exe")
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionBranch="IPFS_Blockchain";
union StagingDomainDownloads, SuspiciousFileDrops, IPFSBlockchainAccess
| sort by Timestamp desc

medium severity low confidence

Data Sources

Network Traffic: Network Connection Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceFileEvents

False Positives

Software developers and researchers legitimately accessing IPFS gateways to retrieve decentralized content or test IPFS-hosted applications
IT administrators using certutil.exe or bitsadmin.exe for legitimate software distribution, update delivery, or certificate operations
Users downloading legitimate installers from file-sharing platforms (Discord attachments shared in dev communities, transfer.sh for ops file sharing)
CI/CD pipeline agents using curl or wget to fetch build artifacts or bootstrap scripts from GitHub raw content URLs
Browser-initiated downloads of legitimate software from sites that share infrastructure with abused platforms

Splunk

spl

index=proxy OR index=web OR index=network
  sourcetype="bluecoat:proxysg:access:syslog" OR sourcetype="squid" OR sourcetype="stream:http" OR sourcetype="cisco:esa:http"
| eval domain=lower(coalesce(cs_host, dest_host, url_domain, host))
| eval url_lower=lower(coalesce(cs_uri_stem, url, uri_path))
| eval content_type=lower(coalesce(cs_mime_type, content_type, mime_type))
| eval staging_platform=case(
    match(domain, "(ipfs\.io|cloudflare-ipfs\.com|gateway\.ipfs\.io|dweb\.link|w3s\.link|nftstorage\.link)"), "IPFS_Gateway",
    match(domain, "(cdn\.discordapp\.com|media\.discordapp\.net|attachments\.discordapp\.net)"), "Discord_CDN",
    match(domain, "(pastebin\.com|paste\.ee|hastebin\.com|ghostbin\.co|rentry\.co|controlc\.com|pastecode\.io)"), "Paste_Site",
    match(domain, "(transfer\.sh|file\.io|gofile\.io|anonfiles\.com|pixeldrain\.com|0x0\.st|catbox\.moe)"), "AnonFileShare",
    match(domain, "(cdn1\.telegram-cdn\.org|cdn4\.telegram-cdn\.org)"), "Telegram_CDN",
    true(), null()
  )
| where isnotnull(staging_platform)
| eval executable_content=if(
    match(content_type, "(application/x-msdownload|application/octet-stream|application/x-executable|application/x-dosexec|application/x-msdos-program)")
    OR match(url_lower, "(\.exe|\.dll|\.ps1|\.vbs|\.bat|\.cmd|\.hta|\.msi|\.lnk|\.scr|\.jar)$"),
    1, 0
  )
| eval suspicious_useragent=if(
    match(lower(coalesce(cs_useragent, http_user_agent, useragent)),
    "(powershell|curl|wget|python-requests|go-http|libwww-perl|mshta|wscript|certutil|bitsadmin)"),
    1, 0
  )
| eval suspicion_score=executable_content + suspicious_useragent
| where suspicion_score > 0
| eval alert_context=case(
    executable_content=1 AND suspicious_useragent=1, "Executable download via scripting agent - HIGH",
    executable_content=1, "Executable content type from staging platform",
    suspicious_useragent=1, "Automated downloader accessing staging platform",
    true(), "Staging platform access"
  )
| stats
    count as request_count,
    values(url_lower) as urls,
    values(content_type) as content_types,
    values(coalesce(cs_useragent, http_user_agent, useragent)) as user_agents,
    max(suspicion_score) as max_score,
    values(alert_context) as alert_contexts,
    earliest(_time) as first_seen,
    latest(_time) as last_seen
  by src_ip, domain, staging_platform
| sort - max_score, - request_count

medium severity low confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Content Application Log: Application Log Content

Required Sourcetypes

bluecoat:proxysg:access:syslog squid stream:http cisco:esa:http

False Positives

Developers frequently downloading from IPFS gateways as part of Web3 application development or testing
IT teams using automated scripts (curl, wget) to download software from file-sharing platforms as part of approved provisioning workflows
Employees sharing work files via Discord attachments in engineering channels, resulting in CDN download telemetry
Automated build pipelines or monitoring tools accessing paste sites to retrieve configuration or bootstrap scripts
Security researchers deliberately accessing staging platforms as part of threat intelligence collection or sandboxed malware analysis

Elastic Security (EQL)

eql

any where process.name : ("curl", "wget", "powershell.exe", "certutil.exe", "bitsadmin.exe") and (process.command_line : ("*.bin", "*.exe", "*.dll", "*.ps1", "*.bat", "*.vbs", "*.hta") or network.direction : "egress" and destination.port in (80, 443) and process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe"))

medium severity low confidence

Data Sources

Elastic Endpoint Security Elastic Agent Network Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-*

False Positives

Software developers and researchers legitimately accessing IPFS gateways to retrieve decentralized content or test IPFS-hosted applications
IT administrators using certutil.exe or bitsadmin.exe for legitimate software distribution, update delivery, or certificate operations
Users downloading legitimate installers from file-sharing platforms (Discord attachments shared in dev communities, transfer.sh for ops file sharing)
CI/CD pipeline agents using curl or wget to fetch build artifacts or bootstrap scripts from GitHub raw content URLs
Browser-initiated downloads of legitimate software from sites that share infrastructure with abused platforms

IBM QRadar (AQL)

sql

SELECT sourceip as "SourceIP", destinationip as "DestinationIP", UTF8(payload) as "URL", username as "Username", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%.exe%' OR UTF8(payload) ILIKE '%.dll%' OR UTF8(payload) ILIKE '%.bin%' THEN 80 WHEN UTF8(payload) ILIKE '%paste%' OR UTF8(payload) ILIKE '%transfer.sh%' OR UTF8(payload) ILIKE '%gofile%' THEN 75 WHEN UTF8(payload) ILIKE '%certutil%' OR UTF8(payload) ILIKE '%bitsadmin%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Proxy', 'Windows', 'Zscaler Internet Access') AND (eventid = 4688 OR destinationport IN (80, 443)) ORDER BY "RiskScore" DESC LAST 24 HOURS

medium severity low confidence

Data Sources

Windows Security Event Log Proxy Zscaler Internet Access

Required Tables

events

False Positives

Software developers and researchers legitimately accessing IPFS gateways to retrieve decentralized content or test IPFS-hosted applications
IT administrators using certutil.exe or bitsadmin.exe for legitimate software distribution, update delivery, or certificate operations
Users downloading legitimate installers from file-sharing platforms (Discord attachments shared in dev communities, transfer.sh for ops file sharing)
CI/CD pipeline agents using curl or wget to fetch build artifacts or bootstrap scripts from GitHub raw content URLs
Browser-initiated downloads of legitimate software from sites that share infrastructure with abused platforms

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=proxy/access | json auto | where (process_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "powershell.exe") and (command_line matches "*.exe" or command_line matches "*.dll" or command_line matches "*.bin")) or (url matches "*transfer.sh*" or url matches "*paste.ee*" or url matches "*gofile.io*") | if(matches(process_name, "*certutil*") and matches(command_line, "*urlcache*"), "High", if(matches(url, "*transfer.sh*") or matches(url, "*gofile.io*"), "High", "Medium")) as RiskLevel | count by src_ip, process_name, RiskLevel | sort by count desc

medium severity low confidence

Data Sources

Windows Endpoint Events Proxy Access Logs

Required Tables

endpoint/windows proxy/access

False Positives

Software developers and researchers legitimately accessing IPFS gateways to retrieve decentralized content or test IPFS-hosted applications
IT administrators using certutil.exe or bitsadmin.exe for legitimate software distribution, update delivery, or certificate operations
Users downloading legitimate installers from file-sharing platforms (Discord attachments shared in dev communities, transfer.sh for ops file sharing)
CI/CD pipeline agents using curl or wget to fetch build artifacts or bootstrap scripts from GitHub raw content URLs
Browser-initiated downloads of legitimate software from sites that share infrastructure with abused platforms

Google Chronicle / SecOps

yaral

rule detect_stage_capabilities {
  meta:
    author = "Argus"
    description = "Detects staging of capabilities from external infrastructure"
    severity = "HIGH"
    technique = "T1608"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      re.regex($e.target.url, `\.(exe|dll|bin|ps1|bat|vbs|hta|sh|elf)($|\?)`) nocase or
      re.regex($e.target.hostname, `transfer\.sh|paste\.ee|gofile\.io|anonfiles|temp\.sh`) nocase
    )
    $e.principal.process.file.full_path != ""
  condition:
    $e
}

medium severity low confidence

Data Sources

Endpoint Telemetry Web Proxy Google Workspace

Required Tables

NETWORK_HTTP PROCESS_LAUNCH FILE_CREATION

False Positives

Software developers and researchers legitimately accessing IPFS gateways to retrieve decentralized content or test IPFS-hosted applications
IT administrators using certutil.exe or bitsadmin.exe for legitimate software distribution, update delivery, or certificate operations
Users downloading legitimate installers from file-sharing platforms (Discord attachments shared in dev communities, transfer.sh for ops file sharing)
CI/CD pipeline agents using curl or wget to fetch build artifacts or bootstrap scripts from GitHub raw content URLs
Browser-initiated downloads of legitimate software from sites that share infrastructure with abused platforms

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /certutil|bitsadmin|curl|wget/i
| CommandHistory = /urlcache|transfer|download|http/i
| case {
    CommandHistory = /\.exe|\.dll|\.bin/i | FileType := "Executable";
    CommandHistory = /\.ps1|\.bat|\.vbs/i | FileType := "Script";
    * | FileType := "Other"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, FileType])

medium severity low confidence

Data Sources

ProcessRollup2 (Falcon sensor) NetworkConnectIP4 (Falcon sensor)

Required Tables

ProcessRollup2 NetworkConnectIP4 DetectionSummaryEvent

False Positives

Software developers and researchers legitimately accessing IPFS gateways to retrieve decentralized content or test IPFS-hosted applications
IT administrators using certutil.exe or bitsadmin.exe for legitimate software distribution, update delivery, or certificate operations
Users downloading legitimate installers from file-sharing platforms (Discord attachments shared in dev communities, transfer.sh for ops file sharing)
CI/CD pipeline agents using curl or wget to fetch build artifacts or bootstrap scripts from GitHub raw content URLs
Browser-initiated downloads of legitimate software from sites that share infrastructure with abused platforms

Upload Malware

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections