Skip to content

T1608 Stage Capabilities

Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.18723

Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):

  • Staging web resources necessary to conduct Drive-by Compromise when a user browses to a site.964
  • Staging web resources for a link target to be used with spearphishing.1011
  • Uploading malware or tools to a location accessible to a victim network to enable Ingress Tool Transfer.1
  • Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: Asymmetric Cryptography with Web Protocols).5
Item Value
ID T1608
Sub-techniques T1608.001, T1608.002, T1608.003, T1608.004, T1608.005, T1608.006
Tactics TA0042
Platforms PRE
Version 1.2
Created 17 March 2021
Last Modified 19 October 2022

Procedure Examples

ID Name Description
G0129 Mustang Panda Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.12

Mitigations

ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component
DS0035 Internet Scan Response Content

References

  1. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. 

  2. Ashwin Vamshi. (2019, January 24). Targeted Attacks Abusing Google Cloud Platform Open Redirection. Retrieved August 18, 2022. 

  3. Ashwin Vamshi. (2020, August 12). A Big Catch: Cloud Phishing from Google App Engine and Azure App Service. Retrieved August 18, 2022. 

  4. Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020. 

  5. DigiCert. (n.d.). How to Install an SSL Certificate. Retrieved April 19, 2021. 

  6. Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016. 

  7. Jérôme Segura. (2019, December 4). There’s an app for that: web skimmers found on PaaS Heroku. Retrieved August 18, 2022. 

  8. Kent Backman. (2021, May 18). When Intrusions Don’t Align: A New Water Watering Hole and Oldsmar. Retrieved August 18, 2022. 

  9. Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020. 

  10. Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021. 

  11. Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021. 

  12. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.