Stage Capabilities: Upload Tool

Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.


Tools may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure).[1] Tools can also be staged on web services, such as an adversary controlled GitHub repo, or on Platform-as-a-Service offerings that enable users to easily provision applications.[2][3][4]

攻撃者が過去に購入/レンタルしたインフラ(Acquire Infrastructure)、あるいは攻撃者によって侵害されたインフラ(Compromise Infrastructure)にツールが設置されることもあります[1]。また、攻撃者が管理するGitHubレポなどのWebサービスや、ユーザーが簡単にアプリケーションをプロビジョニングできるPlatform-as-a-Serviceサービス上でもツールを配置することができます[2][3][4]。

Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.


ID: T1608.002
Sub-technique of:  T1608
Platforms: PRE
Version: 1.2
Created: 17 March 2021
Last Modified: 20 October 2022

Procedure Examples

ID Name Description
C0010 C0010

For C0010, UNC3890 actors staged tools on their infrastructure to download directly onto a compromised system.[5]

G0032 Lazarus Group

Lazarus Group has hosted custom and open-source tools on compromised as well as Lazarus Group-controlled servers.[6]

G0027 Threat Group-3390

Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites.[1]


ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.


ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

If infrastructure or patterns in tooling have been previously identified, internet scanning may uncover when an adversary has staged tools to make them accessible for targeting.Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as Ingress Tool Transfer.