The sub-techniques beta is now live! Read the release blog post for more info.

Upload, install, and configure software/tools

An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. [1] [2]

ID: T1362
Tactic: Stage Capabilities
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018

Detection

Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).

References

  1. Mandiant. (n.d.). APT1: Exposing One of China’s Cyber Espionage Units. Retrieved March 5, 2017.
  1. GReAT. (2013, January 17). “Red October”. Detailed Malware Description 4. Second Stage of Attack. Retrieved March 7, 2017.