Which SIEM platforms have a T1608.001 detection rule?

df00tech provides T1608.001 (Upload Malware) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Upload Malware (T1608.001)?

Detecting Upload Malware requires the following data sources: Network Traffic: Network Connection Creation, File: File Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1608.001 detection?

The T1608.001 detection is rated medium severity with low confidence.

What are common false positives for T1608.001?

Common false positives for T1608.001 include: Software developers and researchers legitimately accessing IPFS gateways to retrieve decentralized content or test IPFS-hosted applications; IT administrators using certutil.exe or bitsadmin.exe for legitimate software distribution, update delivery, or certificate operations; Users downloading legitimate installers from file-sharing platforms (Discord attachments shared in dev communities, transfer.sh for ops file sharing).

T1608.001 IBM QRadar · QRadar

Detect Upload Malware in IBM QRadar

Adversaries may upload malware to third-party or adversary-controlled infrastructure to make it accessible during targeting. This includes placing payloads on compromised or purchased web servers, abusing public file-sharing services (Discord CDN, Pastebin, Dropbox, Google Drive), hosting on the InterPlanetary File System (IPFS) to resist takedowns, embedding in blockchain smart contracts, or backdooring software packages uploaded to repositories such as PyPI, NPM, Docker Hub, and GitHub. Detection of this PRE-attack technique occurs primarily on the victim side — when endpoints retrieve the staged malware — rather than at the point of upload. Detection strategies focus on network and file telemetry identifying executable content downloads from suspicious hosting platforms, abnormal use of download LOLBins, and package manager installs of typosquatted or newly-published packages.

MITRE ATT&CK

Tactic: Resource Development
Technique: T1608 Stage Capabilities
Sub-technique: T1608.001 Upload Malware
Canonical reference: https://attack.mitre.org/techniques/T1608/001/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT sourceip as "SourceIP", destinationip as "DestinationIP", UTF8(payload) as "URL", username as "Username", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%.exe%' OR UTF8(payload) ILIKE '%.dll%' OR UTF8(payload) ILIKE '%.bin%' THEN 80 WHEN UTF8(payload) ILIKE '%paste%' OR UTF8(payload) ILIKE '%transfer.sh%' OR UTF8(payload) ILIKE '%gofile%' THEN 75 WHEN UTF8(payload) ILIKE '%certutil%' OR UTF8(payload) ILIKE '%bitsadmin%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Proxy', 'Windows', 'Zscaler Internet Access') AND (eventid = 4688 OR destinationport IN (80, 443)) ORDER BY "RiskScore" DESC LAST 24 HOURS

medium severity low confidence

IBM QRadar AQL translation of the T1608.001 detection. Uses SQL-like syntax with risk scoring. Detects victim-side indicators of malware retrieval from adversary-staged infrastructure using Micro

Data Sources

Windows Security Event LogProxyZscaler Internet Access

Required Tables

events

False Positives & Tuning

Software developers and researchers legitimately accessing IPFS gateways to retrieve decentralized content or test IPFS-hosted applications
IT administrators using certutil.exe or bitsadmin.exe for legitimate software distribution, update delivery, or certificate operations
Users downloading legitimate installers from file-sharing platforms (Discord attachments shared in dev communities, transfer.sh for ops file sharing)
CI/CD pipeline agents using curl or wget to fetch build artifacts or bootstrap scripts from GitHub raw content URLs
Browser-initiated downloads of legitimate software from sites that share infrastructure with abused platforms

Download portable Sigma rule (.yml)

Other platforms for T1608.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Download Staged Payload via certutil LOLBin
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache -split -f https://'. Sysmon Event ID 3: Network connection from certutil.exe to 185.199.x.x (GitHub CDN) on port 443. Sysmon Event ID 11: File creation at %TEMP%\df00tech_staged_test.txt. Windows-Bits-Client/Operational may not fire (certutil uses WinHTTP, not BITS). Zone.Identifier ADS on the output file recording the source URL and ZoneId=3.
Test 2Retrieve Content from IPFS Gateway via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest' and 'ipfs.io'. Sysmon Event ID 3: Network connection from powershell.exe to ipfs.io (209.94.x.x) on port 443. PowerShell ScriptBlock Log Event ID 4104 with the full IWR command. Sysmon Event ID 11: File creation at %TEMP%\df00tech_ipfs_test.txt with Zone.Identifier ADS containing HostUrl=https://ipfs.io/ipfs/...
Test 3Simulate Typosquatted Package Install from PyPI
Expected signal: Sysmon Event ID 1: Process Create with Image=pip.exe or python.exe, CommandLine containing 'install' and the package name. Sysmon Event ID 3: Network connection from python.exe to pypi.org (151.101.x.x) and files.pythonhosted.org on port 443. Sysmon Event ID 11: Multiple file creation events in the target directory for .whl and extracted package files. Proxy log: HTTP GET requests to pypi.org/simple/<package>/ and files.pythonhosted.org with content-type application/zip or application/octet-stream.
Test 4Download from Discord CDN via PowerShell (Simulated)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient', 'DownloadFile', 'cdn.discordapp.com', and '-ExecutionPolicy Bypass'. Sysmon Event ID 3: Network connection from powershell.exe to cdn.discordapp.com on port 443. The download will return 404 for the placeholder URL, but the DNS resolution and TCP connection telemetry still fire. PowerShell ScriptBlock Log Event ID 4104 with full command.

Last updated: 2026-03-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1608.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Upload Malware in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1608.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Resource Development

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1608.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Resource Development

Popular Detections

Get new detections in your inbox