|Platform||Linux, macOS, Windows|
|Data Sources||File monitoring, Process monitoring, Process command-line parameters|
Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted.
Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
- APT28 has stored captured credential information in a file named pi.log.1
- APT3 has been known to stage files for exfiltration in a single location. 2
- FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.3
- TRINITY malware used by FIN6 identifies payment card track data on the victim and then copies it to a local file in a subdirectory of
C:\Windows\. Once the malware collects the data, FIN6 actors compressed data and moved it to another staging system before exfiltration.4
- FIN8 aggregates staged data from a network into a single location.5
- Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.6
- Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.7
- Threat Group-3390 actors saved RAR files for exfiltration in the Recycler directory. They have also staged RAR files, renamed with a .zip file extension, on externally accessible Web servers and then issued HTTP GET requests to exfiltrate the files from the victim network.8
- Threat Group-3390 has staged encrypted archives for exfiltration on Internet-facing servers that had previously been compromised with China Chopper.9
- menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.10
- ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.11
- BADNEWS copies documents under 15MB found on the victim system to is the user's
- stages collected data in a text file.13
- Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.14
- FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.15
- Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.16
- MoonWind saves information from its keylogging routine as a .zip file in the present working directory.17
- PUNCHTRACK aggregates collected data in a tmp file.5
- Prikormka creates a directory,
%USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.18
- Pteranodon creates various subdirectories under
%Temp%\reports\%and copies files to those subdirectories. It also creates a folder at
C:\Users\<Username>\AppData\Roaming\Microsoft\storeto store screenshot JPEG files.19
- Data captured by RawPOS is placed in a temporary file under a directory named "memdump".20
- Rover copies files from removable drives to
- SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.15
- Trojan.Karagany can create a directory (
C:\ProgramData\Mail\MailAg\gl) to use as a temporary directory for uploading files.22
- USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.2324
Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting25 tools, like AppLocker,2627 or Software Restriction Policies28 where appropriate.29
Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files.
Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
- Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.