Detect Stage Capabilities in IBM QRadar
This detection identifies adversary activity consistent with staging capabilities on external infrastructure prior to targeting. Because T1608 is a pre-compromise technique conducted on adversary-controlled infrastructure, direct detection is not possible from victim telemetry alone. Instead, this detection focuses on the victim-side observable: endpoints or users connecting to known or suspected staging infrastructure and downloading executable artifacts. Detectable signals include connections to file-sharing platforms (Pastebin, transfer.sh, Discord CDN, GitHub raw), downloads of executable file types from these platforms, and use of living-off-the-land binaries (certutil, bitsadmin, curl) to retrieve staged payloads. Threat intelligence correlation against known staging domains and IPs supplements behavioral heuristics to surface high-confidence staging delivery events.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Canonical reference
- https://attack.mitre.org/techniques/T1608/
QRadar Detection Query
SELECT sourceip as "SourceIP", destinationip as "DestinationIP", UTF8(payload) as "URL", username as "Username", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%.exe%' OR UTF8(payload) ILIKE '%.dll%' OR UTF8(payload) ILIKE '%.bin%' THEN 80 WHEN UTF8(payload) ILIKE '%paste%' OR UTF8(payload) ILIKE '%transfer.sh%' OR UTF8(payload) ILIKE '%gofile%' THEN 75 WHEN UTF8(payload) ILIKE '%certutil%' OR UTF8(payload) ILIKE '%bitsadmin%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Proxy', 'Windows', 'Zscaler Internet Access') AND (eventid = 4688 OR destinationport IN (80, 443)) ORDER BY "RiskScore" DESC LAST 24 HOURSIBM QRadar AQL translation of the T1608 detection. Uses SQL-like syntax with risk scoring. Detects endpoint connections to known capability-staging platforms (paste sites, file-transfer servi
Data Sources
Required Tables
False Positives & Tuning
- Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows
- IT administrators using certutil or curl to download approved software packages from cloud storage buckets
- Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
- Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage
Other platforms for T1608
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stage and Retrieve Benign Payload via Pastebin (Simulated)
Expected signal: Sysmon Event ID 1 (Process Create) for certutil.exe with -decode arguments. DeviceProcessEvents entry for certutil.exe. DeviceFileEvents showing file creation in %TEMP%. PowerShell ScriptBlock log (Event ID 4104) showing the staging simulation commands.
- Test 2Download Simulated Tool from GitHub Raw Content
Expected signal: Sysmon Event ID 3 (Network Connection) for powershell.exe connecting to raw.githubusercontent.com on port 443. Sysmon Event ID 11 (File Create) for the downloaded file. DeviceNetworkEvents in Defender for Endpoint showing powershell.exe initiating connection. DeviceFileEvents showing file write in TEMP.
- Test 3Simulate Drive-by Staging Infrastructure via Local Web Server
Expected signal: Linux audit logs showing curl process spawning with HTTP connection to 127.0.0.1:8888. Syslog entries for the Python HTTP server serving the request. File creation event for downloaded_payload.exe in /tmp. If auditd is enabled: syscall records for execve (python3, curl) and open/write for file creation.
References (13)
- https://attack.mitre.org/techniques/T1608/
- https://www.volexity.com/blog/2020/11/06/ocean-lotus-extending-cyber-espionage-operations-through-fake-websites/
- https://www.dragos.com/blog/industry-news/watering-hole-attack-uses-heroku-cloud-platform/
- https://www.malwarebytes.com/blog/news/2019/01/magecart-group-4-a-link-with-heroku/
- https://www.netskope.com/blog/netskope-threat-intelligence-gcp-redirection/
- https://www.netskope.com/blog/cloud-phishing-using-popular-cloud-services-to-attack-users/
- https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader/
- https://attack.mitre.org/techniques/T1608/001/
- https://attack.mitre.org/techniques/T1608/002/
- https://attack.mitre.org/techniques/T1608/003/
- https://attack.mitre.org/techniques/T1608/004/
- https://attack.mitre.org/techniques/T1608/005/
- https://attack.mitre.org/techniques/T1608/006/
Unlock Pro Content
Get the full detection package for T1608 including response playbook, investigation guide, and atomic red team tests.