cti/enterprise-attack/attack-pattern/attack-pattern--84771bc3-f6a0-403e-b144-01af70e5fda0.json

{
    "type": "bundle",
    "id": "bundle--9a91383c-8e7e-400d-9c27-3bac66d4ce21",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--84771bc3-f6a0-403e-b144-01af70e5fda0",
            "created": "2021-03-17T20:04:09.331Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1608",
                    "external_id": "T1608"
                },
                {
                    "source_name": "Volexity Ocean Lotus November 2020",
                    "description": "Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.",
                    "url": "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/"
                },
                {
                    "source_name": "Netskope GCP Redirection",
                    "description": "Ashwin Vamshi. (2019, January 24). Targeted Attacks Abusing Google Cloud Platform Open Redirection. Retrieved August 18, 2022.",
                    "url": "https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection"
                },
                {
                    "source_name": "Netskope Cloud Phishing",
                    "description": "Ashwin Vamshi. (2020, August 12). A Big Catch: Cloud Phishing from Google App Engine and Azure App Service. Retrieved August 18, 2022.",
                    "url": "https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service"
                },
                {
                    "source_name": "ATT ScanBox",
                    "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.",
                    "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks"
                },
                {
                    "source_name": "DigiCert Install SSL Cert",
                    "description": "DigiCert. (n.d.). How to Install an SSL Certificate. Retrieved April 19, 2021.",
                    "url": "https://www.digicert.com/kb/ssl-certificate-installation.htm"
                },
                {
                    "source_name": "Gallagher 2015",
                    "description": "Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d. Retrieved January 25, 2016.",
                    "url": "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/"
                },
                {
                    "source_name": "Malwarebytes Heroku Skimmers",
                    "description": "J\u00e9r\u00f4me Segura. (2019, December 4). There's an app for that: web skimmers found on PaaS Heroku. Retrieved August 18, 2022.",
                    "url": "https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku"
                },
                {
                    "source_name": "Dragos Heroku Watering Hole",
                    "description": "Kent Backman. (2021, May 18). When Intrusions Don\u2019t Align: A New Water Watering Hole and Oldsmar. Retrieved August 18, 2022.",
                    "url": "https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/"
                },
                {
                    "source_name": "FireEye CFR Watering Hole 2012",
                    "description": "Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved November 17, 2024.",
                    "url": "https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html"
                },
                {
                    "source_name": "Malwarebytes Silent Librarian October 2020",
                    "description": "Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.",
                    "url": "https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/"
                },
                {
                    "source_name": "Proofpoint TA407 September 2019",
                    "description": "Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.",
                    "url": "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-24T17:49:03.444Z",
            "name": "Stage Capabilities",
            "description": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)\n\nStaging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):\n\n* Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox)\n* Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019)\n* Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020)\n* Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: DigiCert Install SSL Cert)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "resource-development"
                }
            ],
            "x_mitre_attack_spec_version": "3.2.0",
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "PRE"
            ],
            "x_mitre_version": "1.2"
        }
    ]
}