Data Staged: Remote Data Staging

ID Name
T1074.001 Local Data Staging
T1074.002 Remote Data Staging

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.[1]

By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

ID: T1074.002
Sub-technique of:  T1074
Tactic: Collection
Platforms: IaaS, Linux, Windows, macOS
Contributors: Praetorian
Version: 1.1
Created: 13 March 2020
Last Modified: 08 March 2021

Procedure Examples

ID Name Description
G0007 APT28

APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.[2]

S1043 ccf32

ccf32 has copied files to a remote machine infected with Chinoxy or another backdoor.[3]

G0114 Chimera

Chimera has staged stolen data on designated servers in the target environment.[4]

G0037 FIN6

FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.[5]

G0061 FIN8

FIN8 aggregates staged data from a network into a single location.[6]

G0065 Leviathan

Leviathan has staged data remotely prior to exfiltration.[7]

G0045 menuPass

menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.[8][9]

G1019 MoustachedBouncer

MoustachedBouncer has used plugins to save captured screenshots to .\AActdata\ on an SMB share.[10]

C0002 Night Dragon

During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them.[11]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 staged data and files in password-protected archives on a victim's OWA server.[12]

G0027 Threat Group-3390

Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.[13]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

DS0022 File File Access

Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.

File Creation

Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

References