T1608.002 Upload Tool
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.
Tools may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure).1 Tools can also be staged on web services, such as an adversary controlled GitHub repo.
Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.
| Item | Value |
|---|---|
| ID | T1608.002 |
| Sub-techniques | T1608.001, T1608.002, T1608.003, T1608.004, T1608.005 |
| Tactics | TA0042 |
| Platforms | PRE |
| Version | 1.1 |
| Created | 17 March 2021 |
| Last Modified | 17 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0032 | Lazarus Group | Lazarus Group has hosted custom and open-source tools on compromised as well as Lazarus Group-controlled servers.2 |
| G0027 | Threat Group-3390 | Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0035 | Internet Scan | Response Content |
References
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. ↩↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩