title: Stage Capabilities (T1608)
id: df00tech-t1608
status: experimental
description: "This detection identifies adversary activity consistent with staging capabilities on external infrastructure prior to targeting. Because T1608 is a pre-compromise technique conducted on adversary-controlled infrastructure, direct detection is not possible from victim telemetry alone. Instead, this detection focuses on the victim-side observable: endpoints or users connecting to known or suspected staging infrastructure and downloading executable artifacts. Detectable signals include connections to file-sharing platforms (Pastebin, transfer.sh, Discord CDN, GitHub raw), downloads of executable file types from these platforms, and use of living-off-the-land binaries (certutil, bitsadmin, curl) to retrieve staged payloads. Threat intelligence correlation against known staging domains and IPs supplements behavioral heuristics to surface high-confidence staging delivery events."
references:
  - https://attack.mitre.org/techniques/T1608/
  - https://df00tech.com/detections/T1608
author: df00tech
date: 2026/03/20
tags:
  - attack.t1608
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developers legitimately downloading build artifacts, scripts, or tools from GitHub raw content or cloud storage during CI/CD workflows"
  - IT administrators using certutil or curl to download approved software packages from cloud storage buckets
  - Security researchers or red teamers running authorized testing from internal systems that happen to pull tools from public staging platforms
  - "Automated deployment pipelines or configuration management tools (Ansible, Chef, Puppet) that fetch scripts from blob storage"
level: high