T1608 Sumo Logic CSE · Sumo

Detect Stage Capabilities in Sumo Logic CSE

This detection identifies adversary activity consistent with staging capabilities on external infrastructure prior to targeting. Because T1608 is a pre-compromise technique conducted on adversary-controlled infrastructure, direct detection is not possible from victim telemetry alone. Instead, this detection focuses on the victim-side observable: endpoints or users connecting to known or suspected staging infrastructure and downloading executable artifacts. Detectable signals include connections to file-sharing platforms (Pastebin, transfer.sh, Discord CDN, GitHub raw), downloads of executable file types from these platforms, and use of living-off-the-land binaries (certutil, bitsadmin, curl) to retrieve staged payloads. Threat intelligence correlation against known staging domains and IPs supplements behavioral heuristics to surface high-confidence staging delivery events.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1608 Stage Capabilities
Canonical reference
https://attack.mitre.org/techniques/T1608/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=endpoint/windows OR _sourceCategory=proxy/access | json auto | where (process_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "powershell.exe") and (command_line matches "*.exe" or command_line matches "*.dll" or command_line matches "*.bin")) or (url matches "*transfer.sh*" or url matches "*paste.ee*" or url matches "*gofile.io*") | if(matches(process_name, "*certutil*") and matches(command_line, "*urlcache*"), "High", if(matches(url, "*transfer.sh*") or matches(url, "*gofile.io*"), "High", "Medium")) as RiskLevel | count by src_ip, process_name, RiskLevel | sort by count desc
high severity medium confidence

Sumo Logic query for T1608 detection using source category filters and aggregation. Detects endpoint connections to known capability-staging platforms (paste sites, file-transfer servi

Data Sources

Windows Endpoint EventsProxy Access Logs

Required Tables

endpoint/windowsproxy/access

False Positives & Tuning

  • Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows
  • IT administrators using certutil or curl to download approved software packages from cloud storage buckets
  • Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
  • Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage
Download portable Sigma rule (.yml)

Other platforms for T1608

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stage and Retrieve Benign Payload via Pastebin (Simulated)

    Expected signal: Sysmon Event ID 1 (Process Create) for certutil.exe with -decode arguments. DeviceProcessEvents entry for certutil.exe. DeviceFileEvents showing file creation in %TEMP%. PowerShell ScriptBlock log (Event ID 4104) showing the staging simulation commands.

  2. Test 2Download Simulated Tool from GitHub Raw Content

    Expected signal: Sysmon Event ID 3 (Network Connection) for powershell.exe connecting to raw.githubusercontent.com on port 443. Sysmon Event ID 11 (File Create) for the downloaded file. DeviceNetworkEvents in Defender for Endpoint showing powershell.exe initiating connection. DeviceFileEvents showing file write in TEMP.

  3. Test 3Simulate Drive-by Staging Infrastructure via Local Web Server

    Expected signal: Linux audit logs showing curl process spawning with HTTP connection to 127.0.0.1:8888. Syslog entries for the Python HTTP server serving the request. File creation event for downloaded_payload.exe in /tmp. If auditd is enabled: syscall records for execve (python3, curl) and open/write for file creation.

Last updated: 2026-03-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1608 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1583Acquire InfrastructureT1584Compromise InfrastructureT1587Develop CapabilitiesT1588Obtain CapabilitiesT1105Ingress Tool TransferT1189Drive-by CompromiseT1566PhishingT1573Encrypted ChannelT1608.001Upload MalwareT1608.002Upload ToolT1608.003Install Digital CertificateT1608.004Drive-by TargetT1608.005Link TargetT1608.006SEO Poisoning

Same Tactic: Resource Development

Popular Detections