T1608.002 Splunk · SPL

Detect Upload Tool in Splunk

Adversaries may upload tools to third-party or adversary-controlled infrastructure to make them accessible during targeting. Tools such as PsExec, gsecdump, credential dumpers, or remote management software are staged on attacker-controlled web servers, compromised websites, GitHub repositories, or Platform-as-a-Service offerings prior to use against victim networks. This staging enables rapid ingress tool transfer during intrusion without requiring the attacker to carry tools directly into the victim environment. Detection is indirect — the upload itself occurs outside the victim's visibility — so defenders must focus on the downstream artifacts: files downloaded from unusual staging infrastructure, executions from download paths, and network telemetry showing retrieval of known attack tool names or binaries.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1608 Stage Capabilities
Sub-technique
T1608.002 Upload Tool
Canonical reference
https://attack.mitre.org/techniques/T1608/002/

SPL Detection Query

Splunk (SPL)
spl 
| multisearch
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
   (TargetFilename="*\\Downloads\\*" OR TargetFilename="*\\Temp\\*" OR TargetFilename="*\\ProgramData\\*" OR TargetFilename="*\\Users\\Public\\*" OR TargetFilename="*\\Windows\\Temp\\*")
   (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\certutil.exe")
   | eval DetectionBranch="FileCreatedInDownloadPath"
   | eval SuspicionReason="Tool-related file created in suspicious path by download utility"
   | eval ToolHit=if(match(lower(TargetFilename), "(psexec|mimikatz|gsecdump|meterpreter|beacon|cobalt|sharphound|bloodhound|rubeus|seatbelt|winpeas|lazagne|crackmapexec|netscan|chisel|ligolo|frp\.exe|impacket|secretsdump|netcat|nc\.exe|ncat|socat|htran|lcx|regeorg)"), 1, 0)
   | table _time, host, User, TargetFilename, Image, CommandLine, DetectionBranch, SuspicionReason, ToolHit]
  [search index=proxy OR index=web sourcetype=stream:http OR sourcetype="squid" OR sourcetype="bluecoat:proxysg:access:syslog"
   (url="*filemail.com*" OR url="*transfer.sh*" OR url="*gofile.io*" OR url="*anonfiles.com*" OR url="*wetransfer.com*" OR url="*sendspace.com*" OR url="*file.io*" OR url="*tmpfiles.org*" OR url="*ufile.io*" OR url="*uploadfiles.io*" OR url="*bayfiles.com*")
   | eval DetectionBranch="ConnectionToFileStagingDomain"
   | eval SuspicionReason="Network connection to known file staging/hosting domain"
   | eval ToolHit=0
   | table _time, host, src_ip, url, http_method, http_user_agent, status, bytes_out, DetectionBranch, SuspicionReason, ToolHit]
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (CurrentDirectory="*\\Downloads\\*" OR CurrentDirectory="*\\Temp\\*" OR CurrentDirectory="*\\ProgramData\\*" OR CurrentDirectory="*\\Users\\Public\\*" OR Image="*\\Downloads\\*" OR Image="*\\Temp\\*" OR Image="*\\Users\\Public\\*")
   (Image="*psexec*" OR Image="*mimikatz*" OR CommandLine="*gsecdump*" OR CommandLine="*meterpreter*" OR CommandLine="*beacon*" OR CommandLine="*sharphound*" OR CommandLine="*rubeus*" OR CommandLine="*seatbelt*" OR CommandLine="*winpeas*" OR CommandLine="*lazagne*" OR CommandLine="*crackmapexec*" OR CommandLine="*chisel*" OR CommandLine="*netcat*" OR CommandLine="*socat*" OR CommandLine="*secretsdump*")
   | eval DetectionBranch="ToolExecutedFromDownloadPath"
   | eval SuspicionReason="Known offensive tool executed from download/temp directory"
   | eval ToolHit=1
   | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, SuspicionReason, ToolHit]
| eval SuspicionScore=case(ToolHit=1 AND DetectionBranch="ToolExecutedFromDownloadPath", 3, ToolHit=1 AND DetectionBranch="FileCreatedInDownloadPath", 2, DetectionBranch="ConnectionToFileStagingDomain", 1, true(), 1)
| table _time, host, User, DetectionBranch, SuspicionReason, SuspicionScore, ToolHit, CommandLine, Image, url
| sort - SuspicionScore, - _time
high severity medium confidence

Detects T1608.002 downstream artifacts across three search branches unified with multisearch. Branch 1 uses Sysmon Event ID 11 (File Create) to catch known attack tool names or executables written to download/temp paths by browser and download utility processes. Branch 2 uses proxy or web logs to catch connections to known public file staging and hosting domains. Branch 3 uses Sysmon Event ID 1 (Process Create) to catch known offensive tool names executing directly from download or temporary directories. A SuspicionScore is assigned per branch (execution=3, file creation=2, domain connection=1) to prioritize analyst review.

Data Sources

File: File CreationNetwork Traffic: Network Connection CreationProcess: Process CreationSysmon Event ID 11Sysmon Event ID 1Proxy/Web Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationalstream:http

False Positives & Tuning

  • Security teams running authorized penetration tests or red team exercises downloading offensive tooling
  • IT administrators downloading PsExec or SysInternals utilities for legitimate diagnostics and troubleshooting
  • Developers downloading open-source security research tools such as BloodHound or Impacket for authorized internal use
  • Incident response teams deploying DFIR toolkits from staging servers during active investigations
  • Vulnerability management platforms (Tenable, Qualys) that stage and execute scanning components from temp directories
Download portable Sigma rule (.yml)

Other platforms for T1608.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stage Tool on Public File Hosting (filemail.com simulation)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing UploadFile, 127.0.0.1:8090, and the temp file path. Sysmon Event ID 11: File Create for the copied test binary in %TEMP%. Sysmon Event ID 3: Network Connection from powershell.exe to 127.0.0.1:8090 with HTTP POST. PowerShell ScriptBlock Log Event ID 4104 with the upload script content.

  2. Test 2Download Tool from GitHub (Known Attack Tool Retrieval Simulation)

    Expected signal: Sysmon Event ID 11: File Create with TargetFilename=%USERPROFILE%\Downloads\psexec-simulation-test.exe and Image=powershell.exe. Sysmon Event ID 15 (FileCreateStreamHash): Zone.Identifier ADS creation with the source URL in the stream content. Sysmon Event ID 3: Network Connection from powershell.exe to live.sysinternals.com:443. PowerShell ScriptBlock Log Event ID 4104 with the Invoke-WebRequest command.

  3. Test 3Execute Downloaded Tool from Temp Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\netscan.exe, CurrentDirectory containing \Temp\, and ParentImage=powershell.exe. Security Event ID 4688: Process creation for netscan.exe in the temp path if process creation auditing is enabled. Sysmon Event ID 11: File Create for the initial copy of the binary to the temp path.

  4. Test 4Retrieve Tool via certutil LOLBin Download

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-urlcache -split -f' and the target URL. Sysmon Event ID 3: Network Connection from certutil.exe to the download URL host on port 80. Sysmon Event ID 11: File Create for the downloaded file in %TEMP%\. Sysmon Event ID 11: Additional File Create for the renamed .exe file. Security Event ID 4688: Process creation for certutil.exe if command line auditing is enabled.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1608.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1608Stage Capabilities

Related Sub-techniques

T1608.001Upload MalwareT1608.003Install Digital CertificateT1608.004Drive-by TargetT1608.005Link TargetT1608.006SEO Poisoning

Related Techniques

T1608Stage CapabilitiesT1608.001Upload MalwareT1105Ingress Tool TransferT1583Acquire InfrastructureT1584Compromise InfrastructureT1102Web ServiceT1027Obfuscated Files or InformationT1140Deobfuscate/Decode Files or InformationT1036MasqueradingT1059Command and Scripting Interpreter

Same Tactic: Resource Development

Popular Detections