T1608.002 Upload Tool Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let KnownToolNames = dynamic([
  "psexec", "psexec64", "mimikatz", "gsecdump", "wce.exe", "pwdump",
  "meterpreter", "beacon", "cobalt", "sharphound", "bloodhound",
  "rubeus", "seatbelt", "winpeas", "linpeas", "lazagne",
  "crackmapexec", "netscan", "chisel", "ligolo", "frp.exe",
  "impacket", "secretsdump", "netcat", "nc.exe", "ncat",
  "socat", "htran", "lcx", "reGeorg", "invoke-mimikatz"
]);
let StagingDomains = dynamic([
  "filemail.com", "transfer.sh", "gofile.io", "anonfiles.com",
  "wetransfer.com", "sendspace.com", "filesend.jp", "file.io",
  "tmpfiles.org", "ufile.io", "uploadfiles.io", "bayfiles.com"
]);
let SuspiciousDownloadPaths = dynamic([
  "\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\",
  "\\ProgramData\\", "\\Users\\Public\\", "\\Windows\\Temp\\"
]);
// Branch 1: Tool names downloaded via browser or download utilities from staging domains
let ToolDownloadsFromStaging = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileRenamed")
| where FolderPath has_any (SuspiciousDownloadPaths)
| where FileName has_any (KnownToolNames) or FileName endswith ".exe" or FileName endswith ".zip"
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe",
    "iexplore.exe", "powershell.exe", "pwsh.exe", "curl.exe", "wget.exe",
    "bitsadmin.exe", "certutil.exe", "mshta.exe", "wscript.exe", "cscript.exe")
| extend DetectionBranch = "ToolNameInDownloadPath"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         SHA256, DetectionBranch;
// Branch 2: Network connections to known file staging/hosting domains
let StagingDomainConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteUrl has_any (StagingDomains)
| extend DetectionBranch = "ConnectionToStagingDomain"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
         FileName = InitiatingProcessFileName,
         FolderPath = InitiatingProcessFolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         SHA256 = "", DetectionBranch;
// Branch 3: Process execution of attack tools from suspicious download paths
let ToolExecutionFromDownloadPath = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (SuspiciousDownloadPaths)
| where FileName has_any (KnownToolNames) or ProcessCommandLine has_any (KnownToolNames)
| extend DetectionBranch = "ToolExecutedFromDownloadPath"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         SHA256, DetectionBranch;
union ToolDownloadsFromStaging, StagingDomainConnections, ToolExecutionFromDownloadPath
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation Network Traffic: Network Connection Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceNetworkEvents DeviceProcessEvents

False Positives

Security teams running authorized penetration tests or red team exercises downloading offensive tooling to test endpoints
IT administrators downloading PsExec, SysInternals suite, or network scanners (Nmap, Netscan) for legitimate diagnostics
Developers downloading open-source security research tools (BloodHound for AD auditing, Impacket for protocol testing) for authorized use
Bug bounty researchers or internal security engineers staging tools on shared infrastructure for assessments
Incident response teams deploying DFIR toolkits from an internal staging server during an active investigation

Splunk

spl

| multisearch
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
   (TargetFilename="*\\Downloads\\*" OR TargetFilename="*\\Temp\\*" OR TargetFilename="*\\ProgramData\\*" OR TargetFilename="*\\Users\\Public\\*" OR TargetFilename="*\\Windows\\Temp\\*")
   (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\certutil.exe")
   | eval DetectionBranch="FileCreatedInDownloadPath"
   | eval SuspicionReason="Tool-related file created in suspicious path by download utility"
   | eval ToolHit=if(match(lower(TargetFilename), "(psexec|mimikatz|gsecdump|meterpreter|beacon|cobalt|sharphound|bloodhound|rubeus|seatbelt|winpeas|lazagne|crackmapexec|netscan|chisel|ligolo|frp\.exe|impacket|secretsdump|netcat|nc\.exe|ncat|socat|htran|lcx|regeorg)"), 1, 0)
   | table _time, host, User, TargetFilename, Image, CommandLine, DetectionBranch, SuspicionReason, ToolHit]
  [search index=proxy OR index=web sourcetype=stream:http OR sourcetype="squid" OR sourcetype="bluecoat:proxysg:access:syslog"
   (url="*filemail.com*" OR url="*transfer.sh*" OR url="*gofile.io*" OR url="*anonfiles.com*" OR url="*wetransfer.com*" OR url="*sendspace.com*" OR url="*file.io*" OR url="*tmpfiles.org*" OR url="*ufile.io*" OR url="*uploadfiles.io*" OR url="*bayfiles.com*")
   | eval DetectionBranch="ConnectionToFileStagingDomain"
   | eval SuspicionReason="Network connection to known file staging/hosting domain"
   | eval ToolHit=0
   | table _time, host, src_ip, url, http_method, http_user_agent, status, bytes_out, DetectionBranch, SuspicionReason, ToolHit]
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (CurrentDirectory="*\\Downloads\\*" OR CurrentDirectory="*\\Temp\\*" OR CurrentDirectory="*\\ProgramData\\*" OR CurrentDirectory="*\\Users\\Public\\*" OR Image="*\\Downloads\\*" OR Image="*\\Temp\\*" OR Image="*\\Users\\Public\\*")
   (Image="*psexec*" OR Image="*mimikatz*" OR CommandLine="*gsecdump*" OR CommandLine="*meterpreter*" OR CommandLine="*beacon*" OR CommandLine="*sharphound*" OR CommandLine="*rubeus*" OR CommandLine="*seatbelt*" OR CommandLine="*winpeas*" OR CommandLine="*lazagne*" OR CommandLine="*crackmapexec*" OR CommandLine="*chisel*" OR CommandLine="*netcat*" OR CommandLine="*socat*" OR CommandLine="*secretsdump*")
   | eval DetectionBranch="ToolExecutedFromDownloadPath"
   | eval SuspicionReason="Known offensive tool executed from download/temp directory"
   | eval ToolHit=1
   | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, SuspicionReason, ToolHit]
| eval SuspicionScore=case(ToolHit=1 AND DetectionBranch="ToolExecutedFromDownloadPath", 3, ToolHit=1 AND DetectionBranch="FileCreatedInDownloadPath", 2, DetectionBranch="ConnectionToFileStagingDomain", 1, true(), 1)
| table _time, host, User, DetectionBranch, SuspicionReason, SuspicionScore, ToolHit, CommandLine, Image, url
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

File: File Creation Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 11 Sysmon Event ID 1 Proxy/Web Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational stream:http

False Positives

Security teams running authorized penetration tests or red team exercises downloading offensive tooling
IT administrators downloading PsExec or SysInternals utilities for legitimate diagnostics and troubleshooting
Developers downloading open-source security research tools such as BloodHound or Impacket for authorized internal use
Incident response teams deploying DFIR toolkits from staging servers during active investigations
Vulnerability management platforms (Tenable, Qualys) that stage and execute scanning components from temp directories

Elastic Security (EQL)

eql

any where process.name : ("curl", "wget", "powershell.exe", "certutil.exe", "bitsadmin.exe") and (process.command_line : ("*.bin", "*.exe", "*.dll", "*.ps1", "*.bat", "*.vbs", "*.hta") or network.direction : "egress" and destination.port in (80, 443) and process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe"))

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent Network Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-*

False Positives

Security teams running authorized penetration tests or red team exercises downloading offensive tooling to test endpoints
IT administrators downloading PsExec, SysInternals suite, or network scanners (Nmap, Netscan) for legitimate diagnostics
Developers downloading open-source security research tools (BloodHound for AD auditing, Impacket for protocol testing) for authorized use
Bug bounty researchers or internal security engineers staging tools on shared infrastructure for assessments
Incident response teams deploying DFIR toolkits from an internal staging server during an active investigation

IBM QRadar (AQL)

sql

SELECT sourceip as "SourceIP", destinationip as "DestinationIP", UTF8(payload) as "URL", username as "Username", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%.exe%' OR UTF8(payload) ILIKE '%.dll%' OR UTF8(payload) ILIKE '%.bin%' THEN 80 WHEN UTF8(payload) ILIKE '%paste%' OR UTF8(payload) ILIKE '%transfer.sh%' OR UTF8(payload) ILIKE '%gofile%' THEN 75 WHEN UTF8(payload) ILIKE '%certutil%' OR UTF8(payload) ILIKE '%bitsadmin%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Proxy', 'Windows', 'Zscaler Internet Access') AND (eventid = 4688 OR destinationport IN (80, 443)) ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log Proxy Zscaler Internet Access

Required Tables

events

False Positives

Security teams running authorized penetration tests or red team exercises downloading offensive tooling to test endpoints
IT administrators downloading PsExec, SysInternals suite, or network scanners (Nmap, Netscan) for legitimate diagnostics
Developers downloading open-source security research tools (BloodHound for AD auditing, Impacket for protocol testing) for authorized use
Bug bounty researchers or internal security engineers staging tools on shared infrastructure for assessments
Incident response teams deploying DFIR toolkits from an internal staging server during an active investigation

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=proxy/access | json auto | where (process_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "powershell.exe") and (command_line matches "*.exe" or command_line matches "*.dll" or command_line matches "*.bin")) or (url matches "*transfer.sh*" or url matches "*paste.ee*" or url matches "*gofile.io*") | if(matches(process_name, "*certutil*") and matches(command_line, "*urlcache*"), "High", if(matches(url, "*transfer.sh*") or matches(url, "*gofile.io*"), "High", "Medium")) as RiskLevel | count by src_ip, process_name, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Windows Endpoint Events Proxy Access Logs

Required Tables

endpoint/windows proxy/access

False Positives

Security teams running authorized penetration tests or red team exercises downloading offensive tooling to test endpoints
IT administrators downloading PsExec, SysInternals suite, or network scanners (Nmap, Netscan) for legitimate diagnostics
Developers downloading open-source security research tools (BloodHound for AD auditing, Impacket for protocol testing) for authorized use
Bug bounty researchers or internal security engineers staging tools on shared infrastructure for assessments
Incident response teams deploying DFIR toolkits from an internal staging server during an active investigation

Google Chronicle / SecOps

yaral

rule detect_stage_capabilities {
  meta:
    author = "Argus"
    description = "Detects staging of capabilities from external infrastructure"
    severity = "HIGH"
    technique = "T1608"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      re.regex($e.target.url, `\.(exe|dll|bin|ps1|bat|vbs|hta|sh|elf)($|\?)`) nocase or
      re.regex($e.target.hostname, `transfer\.sh|paste\.ee|gofile\.io|anonfiles|temp\.sh`) nocase
    )
    $e.principal.process.file.full_path != ""
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Web Proxy Google Workspace

Required Tables

NETWORK_HTTP PROCESS_LAUNCH FILE_CREATION

False Positives

Security teams running authorized penetration tests or red team exercises downloading offensive tooling to test endpoints
IT administrators downloading PsExec, SysInternals suite, or network scanners (Nmap, Netscan) for legitimate diagnostics
Developers downloading open-source security research tools (BloodHound for AD auditing, Impacket for protocol testing) for authorized use
Bug bounty researchers or internal security engineers staging tools on shared infrastructure for assessments
Incident response teams deploying DFIR toolkits from an internal staging server during an active investigation

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /certutil|bitsadmin|curl|wget/i
| CommandHistory = /urlcache|transfer|download|http/i
| case {
    CommandHistory = /\.exe|\.dll|\.bin/i | FileType := "Executable";
    CommandHistory = /\.ps1|\.bat|\.vbs/i | FileType := "Script";
    * | FileType := "Other"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, FileType])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor) NetworkConnectIP4 (Falcon sensor)

Required Tables

ProcessRollup2 NetworkConnectIP4 DetectionSummaryEvent

False Positives

Security teams running authorized penetration tests or red team exercises downloading offensive tooling to test endpoints
IT administrators downloading PsExec, SysInternals suite, or network scanners (Nmap, Netscan) for legitimate diagnostics
Developers downloading open-source security research tools (BloodHound for AD auditing, Impacket for protocol testing) for authorized use
Bug bounty researchers or internal security engineers staging tools on shared infrastructure for assessments
Incident response teams deploying DFIR toolkits from an internal staging server during an active investigation

Upload Tool

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections