T1608.002 Microsoft Sentinel · KQL

Detect Upload Tool in Microsoft Sentinel

Adversaries may upload tools to third-party or adversary-controlled infrastructure to make them accessible during targeting. Tools such as PsExec, gsecdump, credential dumpers, or remote management software are staged on attacker-controlled web servers, compromised websites, GitHub repositories, or Platform-as-a-Service offerings prior to use against victim networks. This staging enables rapid ingress tool transfer during intrusion without requiring the attacker to carry tools directly into the victim environment. Detection is indirect — the upload itself occurs outside the victim's visibility — so defenders must focus on the downstream artifacts: files downloaded from unusual staging infrastructure, executions from download paths, and network telemetry showing retrieval of known attack tool names or binaries.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1608 Stage Capabilities
Sub-technique
T1608.002 Upload Tool
Canonical reference
https://attack.mitre.org/techniques/T1608/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let KnownToolNames = dynamic([
  "psexec", "psexec64", "mimikatz", "gsecdump", "wce.exe", "pwdump",
  "meterpreter", "beacon", "cobalt", "sharphound", "bloodhound",
  "rubeus", "seatbelt", "winpeas", "linpeas", "lazagne",
  "crackmapexec", "netscan", "chisel", "ligolo", "frp.exe",
  "impacket", "secretsdump", "netcat", "nc.exe", "ncat",
  "socat", "htran", "lcx", "reGeorg", "invoke-mimikatz"
]);
let StagingDomains = dynamic([
  "filemail.com", "transfer.sh", "gofile.io", "anonfiles.com",
  "wetransfer.com", "sendspace.com", "filesend.jp", "file.io",
  "tmpfiles.org", "ufile.io", "uploadfiles.io", "bayfiles.com"
]);
let SuspiciousDownloadPaths = dynamic([
  "\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\",
  "\\ProgramData\\", "\\Users\\Public\\", "\\Windows\\Temp\\"
]);
// Branch 1: Tool names downloaded via browser or download utilities from staging domains
let ToolDownloadsFromStaging = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileRenamed")
| where FolderPath has_any (SuspiciousDownloadPaths)
| where FileName has_any (KnownToolNames) or FileName endswith ".exe" or FileName endswith ".zip"
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe",
    "iexplore.exe", "powershell.exe", "pwsh.exe", "curl.exe", "wget.exe",
    "bitsadmin.exe", "certutil.exe", "mshta.exe", "wscript.exe", "cscript.exe")
| extend DetectionBranch = "ToolNameInDownloadPath"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         SHA256, DetectionBranch;
// Branch 2: Network connections to known file staging/hosting domains
let StagingDomainConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteUrl has_any (StagingDomains)
| extend DetectionBranch = "ConnectionToStagingDomain"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
         FileName = InitiatingProcessFileName,
         FolderPath = InitiatingProcessFolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         SHA256 = "", DetectionBranch;
// Branch 3: Process execution of attack tools from suspicious download paths
let ToolExecutionFromDownloadPath = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (SuspiciousDownloadPaths)
| where FileName has_any (KnownToolNames) or ProcessCommandLine has_any (KnownToolNames)
| extend DetectionBranch = "ToolExecutedFromDownloadPath"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         SHA256, DetectionBranch;
union ToolDownloadsFromStaging, StagingDomainConnections, ToolExecutionFromDownloadPath
| sort by Timestamp desc
high severity medium confidence

Detects the downstream artifacts of T1608.002 tool staging: known attack tool names appearing in download paths, network connections to file-staging/hosting domains, and execution of offensive tools from temporary or download directories. Uses three detection branches unified with the union operator. Branch 1 catches tool-named files created by browsers and download utilities in suspicious paths. Branch 2 catches direct connections to known file sharing/staging domains. Branch 3 catches execution of known offensive tool names from download-adjacent directories. Since the upload itself is invisible to the defender, all branches target ingress and execution artifacts.

Data Sources

File: File CreationNetwork Traffic: Network Connection CreationProcess: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceFileEventsDeviceNetworkEventsDeviceProcessEvents

False Positives & Tuning

  • Security teams running authorized penetration tests or red team exercises downloading offensive tooling to test endpoints
  • IT administrators downloading PsExec, SysInternals suite, or network scanners (Nmap, Netscan) for legitimate diagnostics
  • Developers downloading open-source security research tools (BloodHound for AD auditing, Impacket for protocol testing) for authorized use
  • Bug bounty researchers or internal security engineers staging tools on shared infrastructure for assessments
  • Incident response teams deploying DFIR toolkits from an internal staging server during an active investigation
Download portable Sigma rule (.yml)

Other platforms for T1608.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stage Tool on Public File Hosting (filemail.com simulation)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing UploadFile, 127.0.0.1:8090, and the temp file path. Sysmon Event ID 11: File Create for the copied test binary in %TEMP%. Sysmon Event ID 3: Network Connection from powershell.exe to 127.0.0.1:8090 with HTTP POST. PowerShell ScriptBlock Log Event ID 4104 with the upload script content.

  2. Test 2Download Tool from GitHub (Known Attack Tool Retrieval Simulation)

    Expected signal: Sysmon Event ID 11: File Create with TargetFilename=%USERPROFILE%\Downloads\psexec-simulation-test.exe and Image=powershell.exe. Sysmon Event ID 15 (FileCreateStreamHash): Zone.Identifier ADS creation with the source URL in the stream content. Sysmon Event ID 3: Network Connection from powershell.exe to live.sysinternals.com:443. PowerShell ScriptBlock Log Event ID 4104 with the Invoke-WebRequest command.

  3. Test 3Execute Downloaded Tool from Temp Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\netscan.exe, CurrentDirectory containing \Temp\, and ParentImage=powershell.exe. Security Event ID 4688: Process creation for netscan.exe in the temp path if process creation auditing is enabled. Sysmon Event ID 11: File Create for the initial copy of the binary to the temp path.

  4. Test 4Retrieve Tool via certutil LOLBin Download

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache -split -f' and the target URL. Sysmon Event ID 3: Network Connection from certutil.exe to the download URL host on port 80. Sysmon Event ID 11: File Create for the downloaded file in %TEMP%\. Sysmon Event ID 11: Additional File Create for the renamed .exe file. Security Event ID 4688: Process creation for certutil.exe if command line auditing is enabled.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1608.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1608Stage Capabilities

Related Sub-techniques

T1608.001Upload MalwareT1608.003Install Digital CertificateT1608.004Drive-by TargetT1608.005Link TargetT1608.006SEO Poisoning

Related Techniques

T1608Stage CapabilitiesT1608.001Upload MalwareT1105Ingress Tool TransferT1583Acquire InfrastructureT1584Compromise InfrastructureT1102Web ServiceT1027Obfuscated Files or InformationT1140Deobfuscate/Decode Files or InformationT1036MasqueradingT1059Command and Scripting Interpreter

Same Tactic: Resource Development

Popular Detections