MITRE ATT&CK Technique
Description
Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing) Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to): * Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox) * Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) * Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020) * Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: DigiCert Install SSL Cert)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-03-17T20:04:09.331Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may upload, install, or otherwise set up '
'capabilities that can be used during targeting. To support '
'their operations, an adversary may need to take capabilities '
'they developed ([Develop '
'Capabilities](https://attack.mitre.org/techniques/T1587)) or '
'obtained ([Obtain '
'Capabilities](https://attack.mitre.org/techniques/T1588)) and '
'stage them on infrastructure under their control. These '
'capabilities may be staged on infrastructure that was '
'previously purchased/rented by the adversary ([Acquire '
'Infrastructure](https://attack.mitre.org/techniques/T1583)) '
'or was otherwise compromised by them ([Compromise '
'Infrastructure](https://attack.mitre.org/techniques/T1584)). '
'Capabilities may also be staged on web services, such as '
'GitHub or Pastebin, or on Platform-as-a-Service (PaaS) '
'offerings that enable users to easily provision '
'applications.(Citation: Volexity Ocean Lotus November '
'2020)(Citation: Dragos Heroku Watering Hole)(Citation: '
'Malwarebytes Heroku Skimmers)(Citation: Netskope GCP '
'Redirection)(Citation: Netskope Cloud Phishing)\n'
'\n'
'Staging of capabilities can aid the adversary in a number of '
'initial access and post-compromise behaviors, including (but '
'not limited to):\n'
'\n'
'* Staging web resources necessary to conduct [Drive-by '
'Compromise](https://attack.mitre.org/techniques/T1189) when a '
'user browses to a site.(Citation: FireEye CFR Watering Hole '
'2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox)\n'
'* Staging web resources for a link target to be used with '
'spearphishing.(Citation: Malwarebytes Silent Librarian '
'October 2020)(Citation: Proofpoint TA407 September 2019)\n'
'* Uploading malware or tools to a location accessible to a '
'victim network to enable [Ingress Tool '
'Transfer](https://attack.mitre.org/techniques/T1105).(Citation: '
'Volexity Ocean Lotus November 2020)\n'
'* Installing a previously acquired SSL/TLS certificate to use '
'to encrypt command and control traffic (ex: [Asymmetric '
'Cryptography](https://attack.mitre.org/techniques/T1573/002) '
'with [Web '
'Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: '
'DigiCert Install SSL Cert)',
'external_references': [{'external_id': 'T1608',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1608'},
{'description': 'Adair, S. and Lancaster, T. (2020, '
'November 6). OceanLotus: Extending '
'Cyber Espionage Operations Through '
'Fake Websites. Retrieved November '
'20, 2020.',
'source_name': 'Volexity Ocean Lotus November 2020',
'url': 'https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/'},
{'description': 'Ashwin Vamshi. (2019, January 24). '
'Targeted Attacks Abusing Google '
'Cloud Platform Open Redirection. '
'Retrieved August 18, 2022.',
'source_name': 'Netskope GCP Redirection',
'url': 'https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection'},
{'description': 'Ashwin Vamshi. (2020, August 12). A '
'Big Catch: Cloud Phishing from '
'Google App Engine and Azure App '
'Service. Retrieved August 18, 2022.',
'source_name': 'Netskope Cloud Phishing',
'url': 'https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service'},
{'description': 'Blasco, J. (2014, August 28). '
'Scanbox: A Reconnaissance Framework '
'Used with Watering Hole Attacks. '
'Retrieved October 19, 2020.',
'source_name': 'ATT ScanBox',
'url': 'https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks'},
{'description': 'DigiCert. (n.d.). How to Install an '
'SSL Certificate. Retrieved April 19, '
'2021.',
'source_name': 'DigiCert Install SSL Cert',
'url': 'https://www.digicert.com/kb/ssl-certificate-installation.htm'},
{'description': 'Gallagher, S.. (2015, August 5). '
'Newly discovered Chinese hacking '
'group hacked 100+ websites to use as '
'“watering holes”. Retrieved January '
'25, 2016.',
'source_name': 'Gallagher 2015',
'url': 'http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/'},
{'description': 'Jérôme Segura. (2019, December 4). '
"There's an app for that: web "
'skimmers found on PaaS Heroku. '
'Retrieved August 18, 2022.',
'source_name': 'Malwarebytes Heroku Skimmers',
'url': 'https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku'},
{'description': 'Kent Backman. (2021, May 18). When '
'Intrusions Don’t Align: A New Water '
'Watering Hole and Oldsmar. Retrieved '
'August 18, 2022.',
'source_name': 'Dragos Heroku Watering Hole',
'url': 'https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/'},
{'description': 'Kindlund, D. (2012, December 30). '
'CFR Watering Hole Attack Details. '
'Retrieved November 17, 2024.',
'source_name': 'FireEye CFR Watering Hole 2012',
'url': 'https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html'},
{'description': 'Malwarebytes Threat Intelligence '
'Team. (2020, October 14). Silent '
'Librarian APT right on schedule for '
'20/21 academic year. Retrieved '
'February 3, 2021.',
'source_name': 'Malwarebytes Silent Librarian '
'October 2020',
'url': 'https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/'},
{'description': 'Proofpoint Threat Insight Team. '
'(2019, September 5). Threat Actor '
'Profile: TA407, the Silent '
'Librarian. Retrieved February 3, '
'2021.',
'source_name': 'Proofpoint TA407 September 2019',
'url': 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian'}],
'id': 'attack-pattern--84771bc3-f6a0-403e-b144-01af70e5fda0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:49:03.444Z',
'name': 'Stage Capabilities',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.2'}