# Data Staged

Data Staged
Technique
ID T1074
Tactic Collection
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X
Data Sources File monitoring, Process monitoring, Process command-line parameters

Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted.

Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

## Examples

• APT28 has stored captured credential information in a file named pi.log.1
• TRINITY malware used by FIN6 identifies payment card track data on the victim and then copies it to a local file in a subdirectory of C:\Windows\. Once the malware collects the data, FIN6 actors compressed data and moved it to another staging system before exfiltration.2
• Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.3
• Threat Group-3390 has staged encrypted archives for exfiltration on Internet-facing servers that had previously been compromised with China Chopper.4
• Threat Group-3390 actors saved RAR files for exfiltration in the Recycler directory. They have also staged RAR files, renamed with a .zip file extension, on externally accessible Web servers and then issued HTTP GET requests to exfiltrate the files from the victim network.5
• menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.6
• ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.7
• BADNEWS copies documents under 15MB found on the victim system to is the user's %temp%\SMB\ folder.8
• Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.9
• FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.10
• MoonWind saves information from its keylogging routine as a .zip file in the present working directory.11
• Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.12
• Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\<Username>\AppData\Roaming\Microsoft\store to store screenshot JPEG files.13
• Rover copies files from removable drives to C:\system.14
• SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.10
• Trojan.Karagany can create a directory (C:\ProgramData\Mail\MailAg\gl) to use as a temporary directory for uploading files.15
• USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.1617

## Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting18 tools, like AppLocker,1920 or Software Restriction Policies21 where appropriate.22

## Detection

Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files.

Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.