Detect Upload Tool in IBM QRadar
Adversaries may upload tools to third-party or adversary-controlled infrastructure to make them accessible during targeting. Tools such as PsExec, gsecdump, credential dumpers, or remote management software are staged on attacker-controlled web servers, compromised websites, GitHub repositories, or Platform-as-a-Service offerings prior to use against victim networks. This staging enables rapid ingress tool transfer during intrusion without requiring the attacker to carry tools directly into the victim environment. Detection is indirect — the upload itself occurs outside the victim's visibility — so defenders must focus on the downstream artifacts: files downloaded from unusual staging infrastructure, executions from download paths, and network telemetry showing retrieval of known attack tool names or binaries.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Sub-technique
- T1608.002 Upload Tool
- Canonical reference
- https://attack.mitre.org/techniques/T1608/002/
QRadar Detection Query
SELECT sourceip as "SourceIP", destinationip as "DestinationIP", UTF8(payload) as "URL", username as "Username", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%.exe%' OR UTF8(payload) ILIKE '%.dll%' OR UTF8(payload) ILIKE '%.bin%' THEN 80 WHEN UTF8(payload) ILIKE '%paste%' OR UTF8(payload) ILIKE '%transfer.sh%' OR UTF8(payload) ILIKE '%gofile%' THEN 75 WHEN UTF8(payload) ILIKE '%certutil%' OR UTF8(payload) ILIKE '%bitsadmin%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Proxy', 'Windows', 'Zscaler Internet Access') AND (eventid = 4688 OR destinationport IN (80, 443)) ORDER BY "RiskScore" DESC LAST 24 HOURSIBM QRadar AQL translation of the T1608.002 detection. Uses SQL-like syntax with risk scoring. Detects the downstream artifacts of T1608.002 tool staging: known attack tool names appearing in dow
Data Sources
Required Tables
False Positives & Tuning
- Security teams running authorized penetration tests or red team exercises downloading offensive tooling to test endpoints
- IT administrators downloading PsExec, SysInternals suite, or network scanners (Nmap, Netscan) for legitimate diagnostics
- Developers downloading open-source security research tools (BloodHound for AD auditing, Impacket for protocol testing) for authorized use
- Bug bounty researchers or internal security engineers staging tools on shared infrastructure for assessments
- Incident response teams deploying DFIR toolkits from an internal staging server during an active investigation
Other platforms for T1608.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stage Tool on Public File Hosting (filemail.com simulation)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing UploadFile, 127.0.0.1:8090, and the temp file path. Sysmon Event ID 11: File Create for the copied test binary in %TEMP%. Sysmon Event ID 3: Network Connection from powershell.exe to 127.0.0.1:8090 with HTTP POST. PowerShell ScriptBlock Log Event ID 4104 with the upload script content.
- Test 2Download Tool from GitHub (Known Attack Tool Retrieval Simulation)
Expected signal: Sysmon Event ID 11: File Create with TargetFilename=%USERPROFILE%\Downloads\psexec-simulation-test.exe and Image=powershell.exe. Sysmon Event ID 15 (FileCreateStreamHash): Zone.Identifier ADS creation with the source URL in the stream content. Sysmon Event ID 3: Network Connection from powershell.exe to live.sysinternals.com:443. PowerShell ScriptBlock Log Event ID 4104 with the Invoke-WebRequest command.
- Test 3Execute Downloaded Tool from Temp Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\netscan.exe, CurrentDirectory containing \Temp\, and ParentImage=powershell.exe. Security Event ID 4688: Process creation for netscan.exe in the temp path if process creation auditing is enabled. Sysmon Event ID 11: File Create for the initial copy of the binary to the temp path.
- Test 4Retrieve Tool via certutil LOLBin Download
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache -split -f' and the target URL. Sysmon Event ID 3: Network Connection from certutil.exe to the download URL host on port 80. Sysmon Event ID 11: File Create for the downloaded file in %TEMP%\. Sysmon Event ID 11: Additional File Create for the renamed .exe file. Security Event ID 4688: Process creation for certutil.exe if command line auditing is enabled.
References (9)
- https://attack.mitre.org/techniques/T1608/002/
- https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
- https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku
- https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/
- https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/
- https://unit42.paloaltonetworks.com/medusa-ransomware-group/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1608.002/T1608.002.md
Unlock Pro Content
Get the full detection package for T1608.002 including response playbook, investigation guide, and atomic red team tests.