1. Home
  2. Techniques
  3. Enterprise
  4. Data Staged
  5. Remote Data Staging

Data Staged: Remote Data Staging

ID Name
T1074.001 Local Data Staging
T1074.002 Remote Data Staging

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.[1]

By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

ID: T1074.002
Sub-technique of:  T1074
Tactic: Collection
Platforms: ESXi, IaaS, Linux, Windows, macOS
Contributors: Praetorian
Version: 1.2
Created: 13 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0007 APT28

APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.[2]
S1043 ccf32

ccf32 has copied files to a remote machine infected with Chinoxy or another backdoor.[3]
G0114 Chimera

Chimera has staged stolen data on designated servers in the target environment.[4]
G0037 FIN6

FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.[5]
G0061 FIN8

FIN8 aggregates staged data from a network into a single location.[6]
G0065 Leviathan

Leviathan has staged data remotely prior to exfiltration.[7]
G0045 menuPass

menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.[8][9]
G1019 MoustachedBouncer

MoustachedBouncer has used plugins to save captured screenshots to .\AActdata\ on an SMB share.[10]
C0002 Night Dragon

During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them.[11]
G1041 Sea Turtle

Sea Turtle staged collected email archives in the public web directory of a website that was accessible from the internet.[12]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 staged data and files in password-protected archives on a victim's OWA server.[13]
G0027 Threat Group-3390

Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.[14]
G1022 ToddyCat

ToddyCat manually transferred collected files to an exfiltration host using xcopy.[15]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0071 Detection of Remote Data Staging Prior to Exfiltration AN0194

Detects file transfers or mounting operations from remote hosts followed by write actions into a local staging directory, often using SMB or remote shell activity.
AN0195

Detects inbound SCP, rsync, or NFS mounts from remote systems followed by aggregation of files into known staging paths like /mnt/staging or /var/tmp.
AN0196

Detects rsync or scp inbound from other hosts that then aggregate content into /Users/Shared or /private/tmp, often involving compressed files or scripts.
AN0197

Detects remote writes or snapshots mounted from other systems into a central ESXi VMFS path or NFS store used for remote staging of files before exfiltration.
AN0198

Detects remote write activity across cloud VMs or object storage buckets within the same region/account that correlate with data aggregation across hosts.

References

  1. Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.
  2. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  3. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  4. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  5. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
  6. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  7. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  8. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  1. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  2. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  3. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  4. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024.
  5. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  6. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  7. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.