MITRE ATT&CK Technique
Description
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. Tools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo, or on Platform-as-a-Service offerings that enable users to easily provision applications.(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Intezer App Service Phishing) Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-03-17T20:31:07.828Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may upload tools to third-party or adversary '
'controlled infrastructure to make it accessible during '
'targeting. Tools can be open or closed source, free or '
'commercial. Tools can be used for malicious purposes by an '
'adversary, but (unlike malware) were not intended to be used '
'for those purposes (ex: '
'[PsExec](https://attack.mitre.org/software/S0029)). '
'Adversaries may upload tools to support their operations, '
'such as making a tool available to a victim network to enable '
'[Ingress Tool '
'Transfer](https://attack.mitre.org/techniques/T1105) by '
'placing it on an Internet accessible web server.\n'
'\n'
'Tools may be placed on infrastructure that was previously '
'purchased/rented by the adversary ([Acquire '
'Infrastructure](https://attack.mitre.org/techniques/T1583)) '
'or was otherwise compromised by them ([Compromise '
'Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: '
'Dell TG-3390) Tools can also be staged on web services, such '
'as an adversary controlled GitHub repo, or on '
'Platform-as-a-Service offerings that enable users to easily '
'provision applications.(Citation: Dragos Heroku Watering '
'Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: '
'Intezer App Service Phishing)\n'
'\n'
'Adversaries can avoid the need to upload a tool by having '
'compromised victim machines download the tool directly from a '
'third-party hosting location (ex: a non-adversary controlled '
'GitHub repo), including the original hosting site of the '
'tool.',
'external_references': [{'external_id': 'T1608.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1608/002'},
{'description': 'Dell SecureWorks Counter Threat Unit '
'Threat Intelligence. (2015, August '
'5). Threat Group-3390 Targets '
'Organizations for Cyberespionage. '
'Retrieved August 18, 2018.',
'source_name': 'Dell TG-3390',
'url': 'https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage'},
{'description': 'Jérôme Segura. (2019, December 4). '
"There's an app for that: web "
'skimmers found on PaaS Heroku. '
'Retrieved August 18, 2022.',
'source_name': 'Malwarebytes Heroku Skimmers',
'url': 'https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku'},
{'description': 'Kent Backman. (2021, May 18). When '
'Intrusions Don’t Align: A New Water '
'Watering Hole and Oldsmar. Retrieved '
'August 18, 2022.',
'source_name': 'Dragos Heroku Watering Hole',
'url': 'https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/'},
{'description': 'Paul Litvak. (2020, October 8). Kud '
'I Enter Your Server? New '
'Vulnerabilities in Microsoft Azure. '
'Retrieved August 18, 2022.',
'source_name': 'Intezer App Service Phishing',
'url': 'https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/'}],
'id': 'attack-pattern--506f6f49-7045-4156-9007-7474cb44ad6d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:48:46.160Z',
'name': 'Upload Tool',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.2'}