title: Upload Tool (T1608.002)
id: df00tech-t1608-002
status: experimental
description: "Adversaries may upload tools to third-party or adversary-controlled infrastructure to make them accessible during targeting. Tools such as PsExec, gsecdump, credential dumpers, or remote management software are staged on attacker-controlled web servers, compromised websites, GitHub repositories, or Platform-as-a-Service offerings prior to use against victim networks. This staging enables rapid ingress tool transfer during intrusion without requiring the attacker to carry tools directly into the victim environment. Detection is indirect — the upload itself occurs outside the victim's visibility — so defenders must focus on the downstream artifacts: files downloaded from unusual staging infrastructure, executions from download paths, and network telemetry showing retrieval of known attack tool names or binaries."
references:
  - https://attack.mitre.org/techniques/T1608/002/
  - https://df00tech.com/detections/T1608.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1608.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Security teams running authorized penetration tests or red team exercises downloading offensive tooling to test endpoints
  - "IT administrators downloading PsExec, SysInternals suite, or network scanners (Nmap, Netscan) for legitimate diagnostics"
  - "Developers downloading open-source security research tools (BloodHound for AD auditing, Impacket for protocol testing) for authorized use"
  - Bug bounty researchers or internal security engineers staging tools on shared infrastructure for assessments
  - Incident response teams deploying DFIR toolkits from an internal staging server during an active investigation
level: high