Detect Stage Capabilities in Microsoft Sentinel
This detection identifies adversary activity consistent with staging capabilities on external infrastructure prior to targeting. Because T1608 is a pre-compromise technique conducted on adversary-controlled infrastructure, direct detection is not possible from victim telemetry alone. Instead, this detection focuses on the victim-side observable: endpoints or users connecting to known or suspected staging infrastructure and downloading executable artifacts. Detectable signals include connections to file-sharing platforms (Pastebin, transfer.sh, Discord CDN, GitHub raw), downloads of executable file types from these platforms, and use of living-off-the-land binaries (certutil, bitsadmin, curl) to retrieve staged payloads. Threat intelligence correlation against known staging domains and IPs supplements behavioral heuristics to surface high-confidence staging delivery events.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Canonical reference
- https://attack.mitre.org/techniques/T1608/
KQL Detection Query
let LookbackPeriod = 1d;
let SuspiciousStagingDomains = dynamic([
"pastebin.com", "paste.ee", "pastecode.io", "pasteio.com",
"transfer.sh", "filebin.net", "gofile.io", "temp.sh", "anonfiles.com",
"raw.githubusercontent.com", "gist.githubusercontent.com",
"dl.dropboxusercontent.com", "cdn.discordapp.com",
"storage.googleapis.com", "s3.amazonaws.com"
]);
let ExecutableExtensions = dynamic(["exe", "dll", "ps1", "vbs", "hta", "bat", "cmd", "msi", "jar", "bin", "scr", "pif"]);
let LolBins = dynamic([
"certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe",
"powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe"
]);
DeviceNetworkEvents
| where TimeGenerated >= ago(LookbackPeriod)
| where ActionType in ("ConnectionSuccess", "HttpConnectionInspected")
| extend ParsedUrl = parse_url(RemoteUrl)
| extend HostDomain = tostring(ParsedUrl["Host"])
| extend FilePath = tostring(ParsedUrl["Path"])
| extend FileExt = tolower(extract(@"\.([a-zA-Z0-9]{2,4})(?:\?|#|$)", 1, FilePath))
| where HostDomain has_any (SuspiciousStagingDomains)
and FileExt in (ExecutableExtensions)
| join kind=leftouter (
DeviceFileEvents
| where TimeGenerated >= ago(LookbackPeriod)
| where ActionType == "FileCreated"
| project DeviceId, FileCreatedTime = TimeGenerated, FileName, FolderPath,
SHA256, FileSize, FileInitiatingProcessId = InitiatingProcessId
) on DeviceId, $left.InitiatingProcessId == $right.FileInitiatingProcessId
| extend RiskScore = case(
HostDomain has "pastebin", 85,
HostDomain has "paste", 80,
HostDomain has "transfer.sh", 85,
HostDomain has "anonfiles", 90,
HostDomain has "gofile", 75,
HostDomain has "temp.sh", 80,
HostDomain has "discordapp", 60,
HostDomain has "dropbox", 50,
HostDomain has "raw.githubusercontent", 45,
HostDomain has "storage.googleapis", 55,
HostDomain has "s3.amazonaws", 50,
55
)
| extend LolBinUsed = iff(InitiatingProcessFileName in~ (LolBins), true, false)
| extend AdjustedRisk = RiskScore + iff(LolBinUsed, 15, 0)
| where AdjustedRisk >= 45
| project TimeGenerated, DeviceName, DeviceId,
StagingDomain = HostDomain,
RemoteUrl, RemoteIP, FileExt,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName, InitiatingProcessAccountDomain,
DroppedFile = FileName, DroppedFilePath = FolderPath, SHA256,
LolBinUsed, AdjustedRisk
| order by AdjustedRisk desc, TimeGenerated descDetects endpoint connections to known capability-staging platforms (paste sites, file-transfer services, cloud storage CDNs) where the retrieved URL path targets an executable file type. Scoring is adjusted upward when a living-off-the-land binary initiates the connection. Correlated file creation events from the same process provide SHA256 hashes for threat intelligence lookups.
Data Sources
Required Tables
False Positives & Tuning
- Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows
- IT administrators using certutil or curl to download approved software packages from cloud storage buckets
- Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
- Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage
Other platforms for T1608
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stage and Retrieve Benign Payload via Pastebin (Simulated)
Expected signal: Sysmon Event ID 1 (Process Create) for certutil.exe with -decode arguments. DeviceProcessEvents entry for certutil.exe. DeviceFileEvents showing file creation in %TEMP%. PowerShell ScriptBlock log (Event ID 4104) showing the staging simulation commands.
- Test 2Download Simulated Tool from GitHub Raw Content
Expected signal: Sysmon Event ID 3 (Network Connection) for powershell.exe connecting to raw.githubusercontent.com on port 443. Sysmon Event ID 11 (File Create) for the downloaded file. DeviceNetworkEvents in Defender for Endpoint showing powershell.exe initiating connection. DeviceFileEvents showing file write in TEMP.
- Test 3Simulate Drive-by Staging Infrastructure via Local Web Server
Expected signal: Linux audit logs showing curl process spawning with HTTP connection to 127.0.0.1:8888. Syslog entries for the Python HTTP server serving the request. File creation event for downloaded_payload.exe in /tmp. If auditd is enabled: syscall records for execve (python3, curl) and open/write for file creation.
References (13)
- https://attack.mitre.org/techniques/T1608/
- https://www.volexity.com/blog/2020/11/06/ocean-lotus-extending-cyber-espionage-operations-through-fake-websites/
- https://www.dragos.com/blog/industry-news/watering-hole-attack-uses-heroku-cloud-platform/
- https://www.malwarebytes.com/blog/news/2019/01/magecart-group-4-a-link-with-heroku/
- https://www.netskope.com/blog/netskope-threat-intelligence-gcp-redirection/
- https://www.netskope.com/blog/cloud-phishing-using-popular-cloud-services-to-attack-users/
- https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader/
- https://attack.mitre.org/techniques/T1608/001/
- https://attack.mitre.org/techniques/T1608/002/
- https://attack.mitre.org/techniques/T1608/003/
- https://attack.mitre.org/techniques/T1608/004/
- https://attack.mitre.org/techniques/T1608/005/
- https://attack.mitre.org/techniques/T1608/006/
Unlock Pro Content
Get the full detection package for T1608 including response playbook, investigation guide, and atomic red team tests.