Stage Capabilities (T1608)

Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020) Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to): * Staging web resources necessary to conduct Drive-by Compromise when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox) * Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) * Uploading malware or tools to a location accessible to a victim network to enable Ingress Tool Transfer.(Citation: Volexity Ocean Lotus November 2020) * Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: Asymmetric Cryptography with Web Protocols).(Citation: DigiCert Install SSL Cert)

Source: https://github.com/mitre/cti
Related Prelude attack chains
Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Windows
  • Linux
  • Darwin
  • Global
  • Android

Themes

Tags

Licenses

APT38 Pharmaceutical Attacks

2022-06-28

/static/assets/apple-logo.svg/static/assets/windows-logo.svg
Bypass MOTW execution restriction using a file archive.
GTsST Iron Viking AWFULSHRED

2022-06-22

/static/assets/linux-logo.svg
SSH worm which installs a wiper on the machine it has infected
APT38 WannaCry

2022-05-31

/static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg
Perform lateral movement using EternalBlue and DoublePulsar exploits.
APT38 DarkSeoul

2022-05-16

/static/assets/windows-logo.svg
Destructive Master Boot Record (MBR) wiper malware.
Staging Server (Server-side)

2021-11-30

/static/assets/linux-logo.svg/static/assets/apple-logo.svg
Deploy capabilities to a staging server and establish a reverse proxy.
Sequoia

2021-10-26

/static/assets/linux-logo.svg
Elevate an unprivileged user to root privileges via CVE-2021-33909 (Sequoia) exploitation.