T1608.001 Microsoft Sentinel · KQL

Detect Upload Malware in Microsoft Sentinel

Adversaries may upload malware to third-party or adversary-controlled infrastructure to make it accessible during targeting. This includes placing payloads on compromised or purchased web servers, abusing public file-sharing services (Discord CDN, Pastebin, Dropbox, Google Drive), hosting on the InterPlanetary File System (IPFS) to resist takedowns, embedding in blockchain smart contracts, or backdooring software packages uploaded to repositories such as PyPI, NPM, Docker Hub, and GitHub. Detection of this PRE-attack technique occurs primarily on the victim side — when endpoints retrieve the staged malware — rather than at the point of upload. Detection strategies focus on network and file telemetry identifying executable content downloads from suspicious hosting platforms, abnormal use of download LOLBins, and package manager installs of typosquatted or newly-published packages.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1608 Stage Capabilities
Sub-technique
T1608.001 Upload Malware
Canonical reference
https://attack.mitre.org/techniques/T1608/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousStagingDomains = dynamic([
    // IPFS gateways
    "ipfs.io", "cloudflare-ipfs.com", "gateway.ipfs.io", "dweb.link",
    "ipfs.fleek.co", "nftstorage.link", "w3s.link",
    // Discord CDN (widely abused for malware staging)
    "cdn.discordapp.com", "media.discordapp.net", "attachments.discordapp.net",
    // Paste sites
    "pastebin.com", "paste.ee", "hastebin.com", "ghostbin.co", "controlc.com",
    "rentry.co", "pastecode.io",
    // Anonymous file sharing
    "transfer.sh", "file.io", "gofile.io", "anonfiles.com", "pixeldrain.com",
    "0x0.st", "catbox.moe", "litterbox.catbox.moe",
    // Telegram CDN
    "t.me", "cdn1.telegram-cdn.org", "cdn4.telegram-cdn.org"
]);
let SuspiciousExtensions = dynamic([
    ".exe", ".dll", ".ps1", ".vbs", ".bat", ".cmd", ".hta",
    ".msi", ".lnk", ".scr", ".pif", ".cpl", ".jar"
]);
let DownloadLOLBins = dynamic([
    "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe",
    "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe",
    "msiexec.exe", "esentutl.exe", "desktopimgdownldr.exe"
]);
// Branch 1: LOLBin or scripting engine downloading from suspicious staging platforms
let StagingDomainDownloads = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "HttpConnectionInspected")
| where RemoteUrl has_any (SuspiciousStagingDomains)
| where InitiatingProcessFileName has_any (DownloadLOLBins)
    or InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionBranch="LOLBin_StagingDomain";
// Branch 2: Executable files written to high-risk paths by download processes
let SuspiciousFileDrops = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where InitiatingProcessFileName has_any (DownloadLOLBins)
    or InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe",
       "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe")
| where FolderPath has_any (
    "\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\",
    "\\AppData\\Roaming\\", "\\ProgramData\\", "\\Users\\Public\\"
  )
| where FileName has_any (SuspiciousExtensions)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionBranch="SuspiciousFileDrop";
// Branch 3: PowerShell or scripting engines contacting IPFS or blockchain RPC endpoints
let IPFSBlockchainAccess = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any ("ipfs.io", "cloudflare-ipfs.com", "dweb.link", "w3s.link")
    or RemotePort in (8545, 8546, 30303)  // Ethereum RPC / P2P ports
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe",
       "wscript.exe", "cscript.exe", "mshta.exe")
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionBranch="IPFS_Blockchain";
union StagingDomainDownloads, SuspiciousFileDrops, IPFSBlockchainAccess
| sort by Timestamp desc
medium severity low confidence

Detects victim-side indicators of malware retrieval from adversary-staged infrastructure using Microsoft Defender for Endpoint tables. Three detection branches cover: (1) known LOLBins or scripting engines making outbound connections to suspicious file-hosting and paste platforms (Discord CDN, IPFS gateways, Pastebin, anonymous file sharing), (2) executable file drops to high-risk user-writable paths initiated by download processes, and (3) scripting engine access to IPFS content gateways or Ethereum RPC ports used for blockchain-embedded malware delivery. Confidence is low due to legitimate overlap with developer tools and content distribution platforms — correlation with threat intelligence and behavioral context is essential.

Data Sources

Network Traffic: Network Connection CreationFile: File CreationMicrosoft Defender for Endpoint

Required Tables

DeviceNetworkEventsDeviceFileEvents

False Positives & Tuning

  • Software developers and researchers legitimately accessing IPFS gateways to retrieve decentralized content or test IPFS-hosted applications
  • IT administrators using certutil.exe or bitsadmin.exe for legitimate software distribution, update delivery, or certificate operations
  • Users downloading legitimate installers from file-sharing platforms (Discord attachments shared in dev communities, transfer.sh for ops file sharing)
  • CI/CD pipeline agents using curl or wget to fetch build artifacts or bootstrap scripts from GitHub raw content URLs
  • Browser-initiated downloads of legitimate software from sites that share infrastructure with abused platforms
Download portable Sigma rule (.yml)

Other platforms for T1608.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Download Staged Payload via certutil LOLBin

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache -split -f https://'. Sysmon Event ID 3: Network connection from certutil.exe to 185.199.x.x (GitHub CDN) on port 443. Sysmon Event ID 11: File creation at %TEMP%\df00tech_staged_test.txt. Windows-Bits-Client/Operational may not fire (certutil uses WinHTTP, not BITS). Zone.Identifier ADS on the output file recording the source URL and ZoneId=3.

  2. Test 2Retrieve Content from IPFS Gateway via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest' and 'ipfs.io'. Sysmon Event ID 3: Network connection from powershell.exe to ipfs.io (209.94.x.x) on port 443. PowerShell ScriptBlock Log Event ID 4104 with the full IWR command. Sysmon Event ID 11: File creation at %TEMP%\df00tech_ipfs_test.txt with Zone.Identifier ADS containing HostUrl=https://ipfs.io/ipfs/...

  3. Test 3Simulate Typosquatted Package Install from PyPI

    Expected signal: Sysmon Event ID 1: Process Create with Image=pip.exe or python.exe, CommandLine containing 'install' and the package name. Sysmon Event ID 3: Network connection from python.exe to pypi.org (151.101.x.x) and files.pythonhosted.org on port 443. Sysmon Event ID 11: Multiple file creation events in the target directory for .whl and extracted package files. Proxy log: HTTP GET requests to pypi.org/simple/<package>/ and files.pythonhosted.org with content-type application/zip or application/octet-stream.

  4. Test 4Download from Discord CDN via PowerShell (Simulated)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient', 'DownloadFile', 'cdn.discordapp.com', and '-ExecutionPolicy Bypass'. Sysmon Event ID 3: Network connection from powershell.exe to cdn.discordapp.com on port 443. The download will return 404 for the placeholder URL, but the DNS resolution and TCP connection telemetry still fire. PowerShell ScriptBlock Log Event ID 4104 with full command.

Last updated: 2026-03-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1608.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1608Stage Capabilities

Related Sub-techniques

T1608.002Upload ToolT1608.003Install Digital CertificateT1608.004Drive-by TargetT1608.005Link TargetT1608.006SEO Poisoning

Related Techniques

T1608Stage CapabilitiesT1583Acquire InfrastructureT1584Compromise InfrastructureT1105Ingress Tool TransferT1204.001Malicious LinkT1204.002Malicious FileT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1195.002Compromise Software Supply ChainT1027Obfuscated Files or InformationT1553.002Code SigningT1036.005Match Legitimate Resource Name or Location

Same Tactic: Resource Development

Popular Detections