Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1608: Stage Capabilities

Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.[1][2][3][4][5]

Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):

* Staging web resources necessary to conduct Drive-by Compromise when a user browses to a site.[6][7][8] * Staging web resources for a link target to be used with spearphishing.[9][10] * Uploading malware or tools to a location accessible to a victim network to enable Ingress Tool Transfer.[1] * Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: Asymmetric Cryptography with Web Protocols).[11]

EnterpriseT1608TechniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Stage Capabilities is adversary preparation before an intrusion: placing malware, tools, certificates, drive-by content, phishing link targets, or SEO-lured content on infrastructure or cloud/web services so it is ready for use against victims. Its business significance is that risk may be forming before a login attempt, malware alert, or endpoint compromise occurs. Leaders should treat this as a pre-compromise visibility and readiness problem, especially where phishing, web browsing, cloud-hosted content, and third-party infrastructure are common paths into the organization.

Executive priority

Prioritize this technique as an early-warning and resilience issue, not just a malware issue. The key executive question is whether the organization can recognize adversary preparation that may later enable phishing, drive-by compromise, ingress tool transfer, or encrypted command-and-control. Budget and control decisions should focus on pre-compromise monitoring, attack-surface reduction, cloud/web access governance, certificate and domain intelligence, and evidence that SOC and IR teams can pivot from suspicious staged infrastructure to user exposure and containment decisions.

Technical view

ATT&CK places T1608 in Resource Development on the PRE platform. The supplied ATT&CK description links staged capabilities to developed or obtained capabilities, acquired or compromised infrastructure, web services such as GitHub or Pastebin, PaaS offerings, drive-by resources, spearphishing link targets, uploaded malware/tools, and installed SSL/TLS certificates. SOC and detection teams should validate whether they can correlate external infrastructure indicators, suspicious URLs, certificate observations, cloud/PaaS-hosted content, proxy/DNS activity, email-link telemetry, and later endpoint or network events. Because official ATT&CK detection text is not provided, detection engineering should rely on the related DET0839 strategy where available and on local telemetry validation rather than assuming coverage.

Likely telemetry

  • DNS query and response logs for newly observed or suspicious domains linked from email, browsing, or alerts
  • Web proxy, secure web gateway, and browser telemetry showing visits to staged link targets or drive-by resources
  • Email security telemetry for spearphishing messages containing external links
  • TLS/certificate transparency or certificate inventory observations relevant to suspicious infrastructure
  • Cloud and PaaS access logs where users reach externally hosted applications or content

Detection direction

  • Confirm that PRE-stage indicators can be collected and triaged before endpoint compromise is visible; this technique often appears as infrastructure, URL, certificate, or hosted-content evidence rather than process telemetry.
  • Tune detections around suspicious external links, downloads, redirects, hosted payloads, and certificate-enabled infrastructure, while accounting for legitimate developer platforms, public paste sites, PaaS applications, and common content-hosting services that can create false positives.
  • Use relationship context from sub-techniques to structure coverage: Upload Malware, Upload Tool, Install Digital Certificate, Drive-by Target, Link Target, and SEO Poisoning each require different telemetry and triage playbooks.
  • Correlate email, DNS, proxy, TLS, and endpoint events so analysts can determine whether a staged resource was merely observed, delivered to a user, visited, downloaded from, or followed by execution.
  • Document blind spots where encrypted traffic, unmanaged browsers, off-network users, limited DNS retention, or lack of certificate/domain intelligence prevents early detection.

Mitigation priorities

  • Apply the related M1056 Pre-compromise mitigation direction by reducing attack surface and improving visibility into adversary preparation activity during Reconnaissance and Resource Development phases.
  • Strengthen controls around email links, web browsing, DNS filtering, and access to high-risk or newly observed hosted content without assuming all public cloud or PaaS use is malicious.
  • Maintain incident response procedures for rapid scoping of users who received, clicked, or downloaded from staged resources.
  • Validate certificate, domain, and infrastructure monitoring use cases that can support early warning and threat intelligence enrichment.
  • Prioritize user awareness and reporting paths for suspicious links as supporting controls, while relying on telemetry and technical enforcement for measurable coverage.
Analyst notes and limits

The strongest operational value of T1608 is its position before initial access: it gives defenders a chance to identify preparation infrastructure and staged content before or during targeting. The related sub-techniques provide a useful coverage checklist. The supplied relationship also notes Mustang Panda uses this technique, but that should be treated only as ATT&CK relationship context and not as evidence of attribution in a local incident.

Official ATT&CK detection guidance for this object is not provided in the supplied fields. The related DET0839 detection strategy is named but not described here, so specific analytics cannot be asserted from the provided data. Local environment evidence is required to determine actual exposure, coverage, false positives, and incident priority.

Official MITRE ATT&CK definition

Stage Capabilities

Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.[1][2][3][4][5]

Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):

* Staging web resources necessary to conduct Drive-by Compromise when a user browses to a site.[6][7][8] * Staging web resources for a link target to be used with spearphishing.[9][10] * Uploading malware or tools to a location accessible to a victim network to enable Ingress Tool Transfer.[1] * Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: Asymmetric Cryptography with Web Protocols).[11]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1608.004 Drive-by Target Sub-technique Drive-by Target subtechnique of this object.
Enterprise T1608.005 Link Target Sub-technique Link Target subtechnique of this object.
Enterprise T1608.006 SEO Poisoning Sub-technique SEO Poisoning subtechnique of this object.
Enterprise T1608.003 Install Digital Certificate Sub-technique Install Digital Certificate subtechnique of this object.
Enterprise T1608.002 Upload Tool Sub-technique Upload Tool subtechnique of this object.
Enterprise T1608.001 Upload Malware Sub-technique Upload Malware subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1608.004: Drive-by Target Enterprise subtechnique of · Technique T1608.005: Link Target Enterprise subtechnique of · Technique T1608.006: SEO Poisoning Enterprise uses · Group G0129: Mustang Panda Enterprise subtechnique of · Technique T1608.003: Install Digital Certificate Enterprise subtechnique of · Technique T1608.002: Upload Tool Enterprise detects · Detection Strategy DET0839: Detection of Stage Capabilities Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise subtechnique of · Technique T1608.001: Upload Malware Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
a6f07a5734a8c3c6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle a6f07a5734a8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Volexity Ocean Lotus November 2020

    Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.

    Open source URL
  2. [2]
    Dragos Heroku Watering Hole

    Kent Backman. (2021, May 18). When Intrusions Don’t Align: A New Water Watering Hole and Oldsmar. Retrieved August 18, 2022.

    Open source URL
  3. [3]
    Malwarebytes Heroku Skimmers

    Jérôme Segura. (2019, December 4). There's an app for that: web skimmers found on PaaS Heroku. Retrieved August 18, 2022.

    Open source URL
  4. [4]
    Netskope GCP Redirection

    Ashwin Vamshi. (2019, January 24). Targeted Attacks Abusing Google Cloud Platform Open Redirection. Retrieved August 18, 2022.

    Open source URL
  5. [5]
    Netskope Cloud Phishing

    Ashwin Vamshi. (2020, August 12). A Big Catch: Cloud Phishing from Google App Engine and Azure App Service. Retrieved August 18, 2022.

    Open source URL
  6. [6]
    FireEye CFR Watering Hole 2012

    Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved November 17, 2024.

    Open source URL
  7. [7]
    Gallagher 2015

    Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016.

    Open source URL
  8. [8]
    ATT ScanBox

    Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.

    Open source URL
  9. [9]
    Malwarebytes Silent Librarian October 2020

    Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.

    Open source URL
  10. [10]
    Proofpoint TA407 September 2019

    Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.

    Open source URL
  11. [11]
    DigiCert Install SSL Cert

    DigiCert. (n.d.). How to Install an SSL Certificate. Retrieved April 19, 2021.

    Open source URL
  12. [12]
    mitre-attack T1608
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use