Detect Upload Malware in Splunk
Adversaries may upload malware to third-party or adversary-controlled infrastructure to make it accessible during targeting. This includes placing payloads on compromised or purchased web servers, abusing public file-sharing services (Discord CDN, Pastebin, Dropbox, Google Drive), hosting on the InterPlanetary File System (IPFS) to resist takedowns, embedding in blockchain smart contracts, or backdooring software packages uploaded to repositories such as PyPI, NPM, Docker Hub, and GitHub. Detection of this PRE-attack technique occurs primarily on the victim side — when endpoints retrieve the staged malware — rather than at the point of upload. Detection strategies focus on network and file telemetry identifying executable content downloads from suspicious hosting platforms, abnormal use of download LOLBins, and package manager installs of typosquatted or newly-published packages.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Sub-technique
- T1608.001 Upload Malware
- Canonical reference
- https://attack.mitre.org/techniques/T1608/001/
SPL Detection Query
index=proxy OR index=web OR index=network
sourcetype="bluecoat:proxysg:access:syslog" OR sourcetype="squid" OR sourcetype="stream:http" OR sourcetype="cisco:esa:http"
| eval domain=lower(coalesce(cs_host, dest_host, url_domain, host))
| eval url_lower=lower(coalesce(cs_uri_stem, url, uri_path))
| eval content_type=lower(coalesce(cs_mime_type, content_type, mime_type))
| eval staging_platform=case(
match(domain, "(ipfs\.io|cloudflare-ipfs\.com|gateway\.ipfs\.io|dweb\.link|w3s\.link|nftstorage\.link)"), "IPFS_Gateway",
match(domain, "(cdn\.discordapp\.com|media\.discordapp\.net|attachments\.discordapp\.net)"), "Discord_CDN",
match(domain, "(pastebin\.com|paste\.ee|hastebin\.com|ghostbin\.co|rentry\.co|controlc\.com|pastecode\.io)"), "Paste_Site",
match(domain, "(transfer\.sh|file\.io|gofile\.io|anonfiles\.com|pixeldrain\.com|0x0\.st|catbox\.moe)"), "AnonFileShare",
match(domain, "(cdn1\.telegram-cdn\.org|cdn4\.telegram-cdn\.org)"), "Telegram_CDN",
true(), null()
)
| where isnotnull(staging_platform)
| eval executable_content=if(
match(content_type, "(application/x-msdownload|application/octet-stream|application/x-executable|application/x-dosexec|application/x-msdos-program)")
OR match(url_lower, "(\.exe|\.dll|\.ps1|\.vbs|\.bat|\.cmd|\.hta|\.msi|\.lnk|\.scr|\.jar)$"),
1, 0
)
| eval suspicious_useragent=if(
match(lower(coalesce(cs_useragent, http_user_agent, useragent)),
"(powershell|curl|wget|python-requests|go-http|libwww-perl|mshta|wscript|certutil|bitsadmin)"),
1, 0
)
| eval suspicion_score=executable_content + suspicious_useragent
| where suspicion_score > 0
| eval alert_context=case(
executable_content=1 AND suspicious_useragent=1, "Executable download via scripting agent - HIGH",
executable_content=1, "Executable content type from staging platform",
suspicious_useragent=1, "Automated downloader accessing staging platform",
true(), "Staging platform access"
)
| stats
count as request_count,
values(url_lower) as urls,
values(content_type) as content_types,
values(coalesce(cs_useragent, http_user_agent, useragent)) as user_agents,
max(suspicion_score) as max_score,
values(alert_context) as alert_contexts,
earliest(_time) as first_seen,
latest(_time) as last_seen
by src_ip, domain, staging_platform
| sort - max_score, - request_countDetects downloads from known malware staging and file-sharing platforms using proxy and web gateway logs. Classifies traffic by staging platform type (IPFS gateway, Discord CDN, paste sites, anonymous file shares, Telegram CDN) and assigns a suspicion score based on executable content type indicators and automated download tool user-agent strings. Aggregates by source IP and destination domain to surface repeated access patterns and correlated download activity. Requires proxy or web gateway logs forwarded to Splunk with content-type and user-agent fields intact.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Developers frequently downloading from IPFS gateways as part of Web3 application development or testing
- IT teams using automated scripts (curl, wget) to download software from file-sharing platforms as part of approved provisioning workflows
- Employees sharing work files via Discord attachments in engineering channels, resulting in CDN download telemetry
- Automated build pipelines or monitoring tools accessing paste sites to retrieve configuration or bootstrap scripts
- Security researchers deliberately accessing staging platforms as part of threat intelligence collection or sandboxed malware analysis
Other platforms for T1608.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Download Staged Payload via certutil LOLBin
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache -split -f https://'. Sysmon Event ID 3: Network connection from certutil.exe to 185.199.x.x (GitHub CDN) on port 443. Sysmon Event ID 11: File creation at %TEMP%\df00tech_staged_test.txt. Windows-Bits-Client/Operational may not fire (certutil uses WinHTTP, not BITS). Zone.Identifier ADS on the output file recording the source URL and ZoneId=3.
- Test 2Retrieve Content from IPFS Gateway via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-WebRequest' and 'ipfs.io'. Sysmon Event ID 3: Network connection from powershell.exe to ipfs.io (209.94.x.x) on port 443. PowerShell ScriptBlock Log Event ID 4104 with the full IWR command. Sysmon Event ID 11: File creation at %TEMP%\df00tech_ipfs_test.txt with Zone.Identifier ADS containing HostUrl=https://ipfs.io/ipfs/...
- Test 3Simulate Typosquatted Package Install from PyPI
Expected signal: Sysmon Event ID 1: Process Create with Image=pip.exe or python.exe, CommandLine containing 'install' and the package name. Sysmon Event ID 3: Network connection from python.exe to pypi.org (151.101.x.x) and files.pythonhosted.org on port 443. Sysmon Event ID 11: Multiple file creation events in the target directory for .whl and extracted package files. Proxy log: HTTP GET requests to pypi.org/simple/<package>/ and files.pythonhosted.org with content-type application/zip or application/octet-stream.
- Test 4Download from Discord CDN via PowerShell (Simulated)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Net.WebClient', 'DownloadFile', 'cdn.discordapp.com', and '-ExecutionPolicy Bypass'. Sysmon Event ID 3: Network connection from powershell.exe to cdn.discordapp.com on port 443. The download will return 404 for the placeholder URL, but the DNS resolution and TCP connection telemetry still fire. PowerShell ScriptBlock Log Event ID 4104 with full command.
References (12)
- https://attack.mitre.org/techniques/T1608/001/
- https://blog.talosintelligence.com/ipfs-abuse/
- https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16
- https://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/
- https://securitylabs.datadoghq.com/articles/malicious-pypi-package-targeting-highly-specific-macos-machines/
- https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1608.001/T1608.001.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://abuse.ch/blog/urlhaus-api/
- https://www.proofpoint.com/us/blog/threat-insight/ta2541-flying-under-radar
Unlock Pro Content
Get the full detection package for T1608.001 including response playbook, investigation guide, and atomic red team tests.