Upload, install, and configure software/tools
An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure.  
Detectable by Common Defenses (Yes/No/Partial): No
Explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.
Difficulty for the Adversary
Easy for the Adversary (Yes/No): Yes
Explanation: Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).
- Mandiant. (n.d.). APT1: Exposing One of China’s Cyber Espionage Units. Retrieved March 5, 2017.
- GReAT. (2013, January 17). “Red October”. Detailed Malware Description 4. Second Stage of Attack. Retrieved March 7, 2017.