T1608

PRE
Stage Capabilities

Description

Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control.

These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.

  • Staging web resources for a link target to be used with spearphishing.
  • Uploading malware or tools to a location accessible to a victim network to enable Ingress Tool Transfer.
  • Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: Asymmetric Cryptography with Web Protocols).

Sub-techniques

T1608.001 — Upload Malware T1608.002 — Upload Tool T1608.003 — Install Digital Certificate T1608.004 — Drive-by Target T1608.005 — Link Target T1608.006 — SEO Poisoning