Upload Tool (T1608.002)

Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server. Tools may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo. Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.

Source: https://github.com/mitre/cti
Related Prelude attack chains
Release Date (Newest)
Search for chains, TTPs, themes, and text

Browse By:


  • All
  • Windows
  • Darwin
  • Linux
  • Global
  • Android




Is my host protected against SSP abuse?


Abusing Windows Security Support Provider (SSP) and Authentication Packages (AP) in the form of DLLs that are injected into the LSASS.exe process on system boot.
APT38 Pharmaceutical Attacks


Bypass MOTW execution restriction using a file archive.
APT38 WannaCry


Perform lateral movement using EternalBlue and DoublePulsar exploits.
APT38 DarkSeoul


Destructive Master Boot Record (MBR) wiper malware.
Staging Server (Server-side)


Deploy capabilities to a staging server and establish a reverse proxy.