Detect Stage Capabilities in Splunk
This detection identifies adversary activity consistent with staging capabilities on external infrastructure prior to targeting. Because T1608 is a pre-compromise technique conducted on adversary-controlled infrastructure, direct detection is not possible from victim telemetry alone. Instead, this detection focuses on the victim-side observable: endpoints or users connecting to known or suspected staging infrastructure and downloading executable artifacts. Detectable signals include connections to file-sharing platforms (Pastebin, transfer.sh, Discord CDN, GitHub raw), downloads of executable file types from these platforms, and use of living-off-the-land binaries (certutil, bitsadmin, curl) to retrieve staged payloads. Threat intelligence correlation against known staging domains and IPs supplements behavioral heuristics to surface high-confidence staging delivery events.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Canonical reference
- https://attack.mitre.org/techniques/T1608/
SPL Detection Query
index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="stream:http" OR sourcetype="proxy")
| eval staging_check=case(
match(coalesce(dest_hostname, DestinationHostname, cs-host), "pastebin\.com|paste\.ee|pastecode\.io|pasteio\.com"), "pastebin",
match(coalesce(dest_hostname, DestinationHostname, cs-host), "transfer\.sh|filebin\.net|gofile\.io|temp\.sh|anonfiles\.com"), "file-transfer",
match(coalesce(dest_hostname, DestinationHostname, cs-host), "raw\.githubusercontent\.com|gist\.githubusercontent\.com"), "github-raw",
match(coalesce(dest_hostname, DestinationHostname, cs-host), "cdn\.discordapp\.com"), "discord-cdn",
match(coalesce(dest_hostname, DestinationHostname, cs-host), "dl\.dropboxusercontent\.com"), "dropbox-cdn",
match(coalesce(dest_hostname, DestinationHostname, cs-host), "storage\.googleapis\.com|s3\.amazonaws\.com"), "cloud-storage",
1=1, null()
)
| where isnotnull(staging_check)
| eval request_path=coalesce(uri_path, cs-uri-stem, Uri, url)
| eval file_ext=lower(replace(mvindex(split(mvindex(split(request_path, "."), -1), "?"), 0), "[^a-z0-9]", ""))
| where match(file_ext, "^(exe|dll|ps1|vbs|hta|bat|cmd|msi|jar|bin|scr|pif)$")
| eval lolbin_used=if(match(lower(coalesce(process, Image, ParentImage, "")), "certutil|bitsadmin|curl|wget|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32|msiexec"), 1, 0)
| eval risk_score=case(
staging_check="pastebin", 85,
staging_check="file-transfer", 80,
staging_check="discord-cdn", 60,
staging_check="github-raw", 45,
staging_check="dropbox-cdn", 50,
staging_check="cloud-storage", 55,
1=1, 40
)
| eval adjusted_risk=risk_score + if(lolbin_used=1, 15, 0)
| where adjusted_risk >= 45
| eval src_host=coalesce(src_hostname, ComputerName, host)
| eval initiating_process=coalesce(process, Image, ParentImage)
| eval connection_url=coalesce(request_path, url, Uri)
| stats count as hit_count,
values(connection_url) as staged_urls,
values(initiating_process) as processes,
max(adjusted_risk) as max_risk,
earliest(_time) as first_seen,
latest(_time) as last_seen
by src_host, staging_check, file_ext, lolbin_used
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"),
last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort -max_risk
| table first_seen, last_seen, src_host, staging_check, file_ext, staged_urls, processes, lolbin_used, max_risk, hit_countCorrelates HTTP/proxy logs and Sysmon network events against known capability-staging platforms, filtering for executable file type downloads. Scores each event by platform risk level and adjusts upward when a living-off-the-land binary is the initiating process. Aggregates by host and platform to surface repeated staging delivery patterns.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Development teams pulling build scripts or compiled artifacts from GitHub raw content as part of automated pipelines
- IT operations downloading approved utilities from internal or vendor-managed S3/GCS buckets during provisioning
- Security awareness platforms or sandbox environments intentionally downloading malware samples for analysis
- Package managers (pip, npm, cargo) that route through cloud storage CDNs for dependency delivery
Other platforms for T1608
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stage and Retrieve Benign Payload via Pastebin (Simulated)
Expected signal: Sysmon Event ID 1 (Process Create) for certutil.exe with -decode arguments. DeviceProcessEvents entry for certutil.exe. DeviceFileEvents showing file creation in %TEMP%. PowerShell ScriptBlock log (Event ID 4104) showing the staging simulation commands.
- Test 2Download Simulated Tool from GitHub Raw Content
Expected signal: Sysmon Event ID 3 (Network Connection) for powershell.exe connecting to raw.githubusercontent.com on port 443. Sysmon Event ID 11 (File Create) for the downloaded file. DeviceNetworkEvents in Defender for Endpoint showing powershell.exe initiating connection. DeviceFileEvents showing file write in TEMP.
- Test 3Simulate Drive-by Staging Infrastructure via Local Web Server
Expected signal: Linux audit logs showing curl process spawning with HTTP connection to 127.0.0.1:8888. Syslog entries for the Python HTTP server serving the request. File creation event for downloaded_payload.exe in /tmp. If auditd is enabled: syscall records for execve (python3, curl) and open/write for file creation.
References (13)
- https://attack.mitre.org/techniques/T1608/
- https://www.volexity.com/blog/2020/11/06/ocean-lotus-extending-cyber-espionage-operations-through-fake-websites/
- https://www.dragos.com/blog/industry-news/watering-hole-attack-uses-heroku-cloud-platform/
- https://www.malwarebytes.com/blog/news/2019/01/magecart-group-4-a-link-with-heroku/
- https://www.netskope.com/blog/netskope-threat-intelligence-gcp-redirection/
- https://www.netskope.com/blog/cloud-phishing-using-popular-cloud-services-to-attack-users/
- https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader/
- https://attack.mitre.org/techniques/T1608/001/
- https://attack.mitre.org/techniques/T1608/002/
- https://attack.mitre.org/techniques/T1608/003/
- https://attack.mitre.org/techniques/T1608/004/
- https://attack.mitre.org/techniques/T1608/005/
- https://attack.mitre.org/techniques/T1608/006/
Unlock Pro Content
Get the full detection package for T1608 including response playbook, investigation guide, and atomic red team tests.