TECHNIQUES

Active Scanning

Scanning IP Blocks

Vulnerability Scanning

Gather Victim Host Information

Client Configurations

Gather Victim Identity Information

Email Addresses

Gather Victim Network Information

Domain Properties

Network Trust Dependencies

Network Topology

Network Security Appliances

Gather Victim Org Information

Determine Physical Locations

Business Relationships

Identify Business Tempo

Phishing for Information

Spearphishing Service

Spearphishing Attachment

Spearphishing Link

Search Closed Sources

Threat Intel Vendors

Purchase Technical Data

Search Open Technical Databases

DNS/Passive DNS

Digital Certificates

Search Open Websites/Domains

Search Victim-Owned Websites

Resource Development

Acquire Infrastructure

Virtual Private Server

Compromise Accounts

Social Media Accounts

Compromise Infrastructure

Virtual Private Server

Develop Capabilities

Code Signing Certificates

Digital Certificates

Establish Accounts

Social Media Accounts

Obtain Capabilities

Code Signing Certificates

Digital Certificates

Vulnerabilities

Stage Capabilities

Install Digital Certificate

Drive-by Target

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Replication Through Removable Media

Supply Chain Compromise

Compromise Software Dependencies and Development Tools

Compromise Software Supply Chain

Compromise Hardware Supply Chain

Trusted Relationship

Default Accounts

Domain Accounts

Command and Scripting Interpreter

Windows Command Shell

Network Device CLI

Container Administration Command

Deploy Container

Exploitation for Client Execution

Inter-Process Communication

Component Object Model

Dynamic Data Exchange

Scheduled Task/Job

Container Orchestration Job

Software Deployment Tools

System Services

Service Execution

Malicious Image

Windows Management Instrumentation

Account Manipulation

Additional Cloud Credentials

Exchange Email Delegate Permissions

Add Office 365 Global Administrator Role

SSH Authorized Keys

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Authentication Package

Winlogon Helper DLL

Security Support Provider

Kernel Modules and Extensions

Re-opened Applications

Shortcut Modification

Plist Modification

Print Processors

XDG Autostart Entries

Boot or Logon Initialization Scripts

Logon Script (Windows)

Logon Script (Mac)

Network Logon Script

Browser Extensions

Compromise Client Software Binary

Create or Modify System Process

Systemd Service

Windows Service

Event Triggered Execution

Change Default File Association

Windows Management Instrumentation Event Subscription

Unix Shell Configuration Modification

LC_LOAD_DYLIB Addition

Netsh Helper DLL

Accessibility Features

Application Shimming

Image File Execution Options Injection

PowerShell Profile

Component Object Model Hijacking

External Remote Services

Hijack Execution Flow

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Executable Installer File Permissions Weakness

Dynamic Linker Hijacking

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

Path Interception by Unquoted Path

Services File Permissions Weakness

Services Registry Permissions Weakness

Implant Internal Image

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Network Device Authentication

Office Application Startup

Office Template Macros

Outlook Home Page

System Firmware

Component Firmware

Scheduled Task/Job

Container Orchestration Job

Server Software Component

SQL Stored Procedures

Transport Agent

Traffic Signaling

Default Accounts

Domain Accounts

Privilege Escalation

Abuse Elevation Control Mechanism

Setuid and Setgid

Bypass User Account Control

Sudo and Sudo Caching

Elevated Execution with Prompt

Access Token Manipulation

Token Impersonation/Theft

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Authentication Package

Winlogon Helper DLL

Security Support Provider

Kernel Modules and Extensions

Re-opened Applications

Shortcut Modification

Plist Modification

Print Processors

XDG Autostart Entries

Boot or Logon Initialization Scripts

Logon Script (Windows)

Logon Script (Mac)

Network Logon Script

Create or Modify System Process

Systemd Service

Windows Service

Domain Policy Modification

Group Policy Modification

Domain Trust Modification

Event Triggered Execution

Change Default File Association

Windows Management Instrumentation Event Subscription

Unix Shell Configuration Modification

LC_LOAD_DYLIB Addition

Netsh Helper DLL

Accessibility Features

Application Shimming

Image File Execution Options Injection

PowerShell Profile

Component Object Model Hijacking

Exploitation for Privilege Escalation

Hijack Execution Flow

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Executable Installer File Permissions Weakness

Dynamic Linker Hijacking

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

Path Interception by Unquoted Path

Services File Permissions Weakness

Services Registry Permissions Weakness

Process Injection

Dynamic-link Library Injection

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Extra Window Memory Injection

Process Hollowing

Process Doppelgänging

Scheduled Task/Job

Container Orchestration Job

Default Accounts

Domain Accounts

Defense Evasion

Abuse Elevation Control Mechanism

Setuid and Setgid

Bypass User Account Control

Sudo and Sudo Caching

Elevated Execution with Prompt

Access Token Manipulation

Token Impersonation/Theft

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Build Image on Host

Deobfuscate/Decode Files or Information

Deploy Container

Direct Volume Access

Domain Policy Modification

Group Policy Modification

Domain Trust Modification

Execution Guardrails

Environmental Keying

Exploitation for Defense Evasion

File and Directory Permissions Modification

Windows File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Hidden Files and Directories

NTFS File Attributes

Hidden File System

Run Virtual Instance

Email Hiding Rules

Resource Forking

Hijack Execution Flow

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Executable Installer File Permissions Weakness

Dynamic Linker Hijacking

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

Path Interception by Unquoted Path

Services File Permissions Weakness

Services Registry Permissions Weakness

Impair Defenses

Disable or Modify Tools

Disable Windows Event Logging

Impair Command History Logging

Disable or Modify System Firewall

Indicator Blocking

Disable or Modify Cloud Firewall

Disable Cloud Logs

Downgrade Attack

Indicator Removal on Host

Clear Windows Event Logs

Clear Linux or Mac System Logs

Clear Command History

Network Share Connection Removal

Indirect Command Execution

Invalid Code Signature

Right-to-Left Override

Rename System Utilities

Masquerade Task or Service

Match Legitimate Name or Location

Space after Filename

Double File Extension

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Network Device Authentication

Modify Cloud Compute Infrastructure

Create Snapshot

Create Cloud Instance

Delete Cloud Instance

Revert Cloud Instance

Modify Registry

Modify System Image

Patch System Image

Downgrade System Image

Network Boundary Bridging

Network Address Translation Traversal

Obfuscated Files or Information

Software Packing

Compile After Delivery

Indicator Removal from Tools

System Firmware

Component Firmware

Process Injection

Dynamic-link Library Injection

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Extra Window Memory Injection

Process Hollowing

Process Doppelgänging

Reflective Code Loading

Rogue Domain Controller

Signed Binary Proxy Execution

Compiled HTML File

Signed Script Proxy Execution

Subvert Trust Controls

Gatekeeper Bypass

SIP and Trust Provider Hijacking

Install Root Certificate

Mark-of-the-Web Bypass

Code Signing Policy Modification

Template Injection

Traffic Signaling

Trusted Developer Utilities Proxy Execution

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Application Access Token

Pass the Ticket

Web Session Cookie

Default Accounts

Domain Accounts

Virtualization/Sandbox Evasion

User Activity Based Checks

Time Based Evasion

Weaken Encryption

Reduce Key Space

Disable Crypto Hardware

XSL Script Processing

Credential Access

Adversary-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay

ARP Cache Poisoning

Password Guessing

Password Cracking

Password Spraying

Credential Stuffing

Credentials from Password Stores

Securityd Memory

Credentials from Web Browsers

Windows Credential Manager

Password Managers

Exploitation for Credential Access

Forced Authentication

Forge Web Credentials

GUI Input Capture

Web Portal Capture

Credential API Hooking

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Network Device Authentication

Network Sniffing

OS Credential Dumping

Security Account Manager

Cached Domain Credentials

Proc Filesystem

/etc/passwd and /etc/shadow

Steal Application Access Token

Steal or Forge Kerberos Tickets

AS-REP Roasting

Steal Web Session Cookie

Two-Factor Authentication Interception

Unsecured Credentials

Credentials In Files

Credentials in Registry

Cloud Instance Metadata API

Group Policy Preferences

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Cloud Storage Object Discovery

Container and Resource Discovery

Domain Trust Discovery

File and Directory Discovery

Group Policy Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Remote System Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

User Activity Based Checks

Time Based Evasion

Lateral Movement

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

Remote Service Session Hijacking

Remote Services

Remote Desktop Protocol

SMB/Windows Admin Shares

Distributed Component Object Model

Windows Remote Management

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

Use Alternate Authentication Material

Application Access Token

Pass the Ticket

Web Session Cookie

Adversary-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay

ARP Cache Poisoning

Archive Collected Data

Archive via Utility

Archive via Library

Archive via Custom Method

Automated Collection

Browser Session Hijacking

Data from Cloud Storage Object

Data from Configuration Repository

SNMP (MIB Dump)

Network Device Configuration Dump

Data from Information Repositories

Code Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Local Data Staging

Remote Data Staging

Email Collection

Local Email Collection

Remote Email Collection

Email Forwarding Rule

GUI Input Capture

Web Portal Capture

Credential API Hooking

Command and Control

Application Layer Protocol

File Transfer Protocols

Communication Through Removable Media

Standard Encoding

Non-Standard Encoding

Data Obfuscation

Protocol Impersonation

Dynamic Resolution

Domain Generation Algorithms

DNS Calculation

Encrypted Channel

Symmetric Cryptography

Asymmetric Cryptography

Fallback Channels

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

Multi-hop Proxy

Domain Fronting

Remote Access Software

Traffic Signaling

Dead Drop Resolver

Bidirectional Communication

One-Way Communication

Automated Exfiltration

Traffic Duplication

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Other Network Medium

Exfiltration Over Bluetooth

Exfiltration Over Physical Medium

Exfiltration over USB

Exfiltration Over Web Service

Exfiltration to Code Repository

Exfiltration to Cloud Storage

Scheduled Transfer

Transfer Data to Cloud Account

Account Access Removal

Data Destruction

Data Encrypted for Impact

Data Manipulation

Stored Data Manipulation

Transmitted Data Manipulation

Runtime Data Manipulation

Internal Defacement

External Defacement

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

OS Exhaustion Flood

Service Exhaustion Flood

Application Exhaustion Flood

Application or System Exploitation

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Direct Network Flood

Reflection Amplification

Resource Hijacking

System Shutdown/Reboot

Deliver Malicious App via Authorized App Store

Deliver Malicious App via Other Means

Drive-by Compromise

Exploit via Charging Station or PC

Exploit via Radio Interfaces

Install Insecure or Malicious Configuration

Lockscreen Bypass

Masquerade as Legitimate Application

Supply Chain Compromise

Broadcast Receivers

Command-Line Interface

Scheduled Task/Job

Broadcast Receivers

Compromise Application Executable

Foreground Persistence

Modify Cached Executable Code

Modify OS Kernel or Boot Partition

Modify System Partition

Modify Trusted Execution Environment

Scheduled Task/Job

Privilege Escalation

Device Administrator Permissions

Exploit OS Vulnerability

Exploit TEE Vulnerability

Defense Evasion

Application Discovery

Delete Device Data

Disguise Root/Jailbreak Indicators

Download New Code at Runtime

Evade Analysis Environment

Input Injection

Install Insecure or Malicious Configuration

Masquerade as Legitimate Application

Modify OS Kernel or Boot Partition

Modify System Partition

Modify Trusted Execution Environment

Obfuscated Files or Information

Proxy Through Victim

Suppress Application Icon

Uninstall Malicious Application

Credential Access

Access Notifications

Access Sensitive Data in Device Logs

Access Stored Application Data

Capture Clipboard Data

Capture SMS Messages

Exploit TEE Vulnerability

Network Traffic Capture or Redirection

Application Discovery

Evade Analysis Environment

File and Directory Discovery

Location Tracking

Network Service Scanning

Process Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Attack PC via USB Connection

Exploit Enterprise Resources

Access Calendar Entries

Access Call Log

Access Contact List

Access Notifications

Access Sensitive Data in Device Logs

Access Stored Application Data

Capture Clipboard Data

Capture SMS Messages

Data from Local System

Foreground Persistence

Location Tracking

Network Information Discovery

Network Traffic Capture or Redirection

Command and Control

Alternate Network Mediums

Commonly Used Port

Domain Generation Algorithms

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Uncommonly Used Port

Alternate Network Mediums

Commonly Used Port

Standard Application Layer Protocol

Carrier Billing Fraud

Clipboard Modification

Data Encrypted for Impact

Delete Device Data

Generate Fraudulent Advertising Revenue

Input Injection

Manipulate App Store Rankings or Ratings

Modify System Partition

Network Effects

Downgrade to Insecure Protocols

Eavesdrop on Insecure Network Communication

Exploit SS7 to Redirect Phone Calls/SMS

Exploit SS7 to Track Device Location

Jamming or Denial of Service

Manipulate Device Communication

Rogue Cellular Base Station

Rogue Wi-Fi Access Points

Remote Service Effects

Obtain Device Cloud Backups

Remotely Track Device Without Authorization

Remotely Wipe Data Without Authorization

Stage Capabilities: Upload Malware

Other sub-techniques of Stage Capabilities (5)

ID	Name
T1608.001	Upload Malware
T1608.002	Upload Tool
T1608.003	Install Digital Certificate
T1608.004	Drive-by Target
T1608.005	Link Target

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.

Malware may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Malware can also be staged on web services, such as GitHub or Pastebin.^[1]

Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via User Execution. Masquerading may increase the chance of users mistakenly executing these files.

ID: T1608.001

Sub-technique of: T1608

ⓘ

Tactic: Resource Development

ⓘ

Platforms: PRE

Contributors: Kobi Haimovich, CardinalOps

Version: 1.1

Created: 17 March 2021

Last Modified: 17 October 2021

Provided by LAYER 8

Procedure Examples

ID	Name	Description
G0050	APT32	APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.^[1]
G0139	TeamTNT	TeamTNT has uploaded backdoored Docker images to Docker Hub.^[2]

Mitigations

ID	Mitigation	Description
M1056	Pre-compromise	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID	Data Source	Data Component
DS0035	Internet Scan	Response Content

If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as User Execution or Ingress Tool Transfer.

References

Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.

Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 22, 2021.