Data Staged

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.[1]

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.[2]

Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

ID: T1074
Sub-techniques:  T1074.001, T1074.002
Tactic: Collection
Platforms: IaaS, Linux, Windows, macOS
Contributors: Praetorian; Shane Tully, @securitygypsy
Version: 1.4
Created: 31 May 2017
Last Modified: 30 September 2024

Procedure Examples

ID Name Description
G1032 INC Ransom

INC Ransom has staged data on compromised hosts prior to exfiltration.[3][4]

S1020 Kevin

Kevin can create directories to store logs and other collected data.[5]

S0641 Kobalos

Kobalos can write captured SSH connection credentials to a file under the /var/run directory with a .pid extension for exfiltration.[6]

S1076 QUIETCANARY

QUIETCANARY has the ability to stage data prior to exfiltration.[7]

G1015 Scattered Spider

Scattered Spider stages data in a centralized database prior to exfiltration.[8]

S1019 Shark

Shark has stored information in folders named U1 and U2 prior to exfiltration.[9]

G1017 Volt Typhoon

Volt Typhoon has staged collected data in password-protected archives.[10]

G0102 Wizard Spider

Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.[11]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

DS0022 File File Access

Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.

File Creation

Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

DS0024 Windows Registry Windows Registry Key Modification

Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

References