ID | Name |
---|---|
T1074.001 | Local Data Staging |
T1074.002 | Remote Data Staging |
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL |
ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.[1] |
S0622 | AppleSeed |
AppleSeed can stage files in a central location prior to exfiltration.[2] |
G0007 | APT28 |
APT28 has stored captured credential information in a file named pi.log.[3] |
G0022 | APT3 |
APT3 has been known to stage files for exfiltration in a single location.[4] |
G0087 | APT39 |
APT39 has utilized tools to aggregate data prior to exfiltration.[5] |
S0373 | Astaroth |
Astaroth collects data in a plaintext file named r1.log before exfiltration. [6] |
S0438 | Attor |
Attor has staged collected data in a central upload directory prior to exfiltration.[7] |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.[8] |
S0128 | BADNEWS |
BADNEWS copies documents under 15MB found on the victim system to is the user's |
S0337 | BadPatch |
BadPatch stores collected data in log files before exfiltration.[11] |
S0651 | BoxCaon |
BoxCaon has created a working folder for collected files that it sends to the C2 server.[12] |
S0274 | Calisto |
Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.[13][14] |
S0335 | Carbon |
Carbon creates a base directory that contains the files and folders that are collected.[15] |
S0261 | Catchamas |
Catchamas stores the gathered data from the machine in .db files and .bmp files under four separate locations.[16] |
G0114 | Chimera |
Chimera has staged stolen data locally on compromised hosts.[17] |
S0538 | Crutch |
Crutch has staged stolen files in the |
G0074 | Dragonfly 2.0 |
Dragonfly 2.0 created a directory named "out" in the user's %AppData% folder and copied files to it.[19] |
S0567 | Dtrack |
Dtrack can save collected data to disk, different file formats, and network shares.[20][21] |
S0038 | Duqu |
Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.[22] |
S0062 | DustySky |
DustySky created folders in temp directories to host collected files before exfiltration.[23] |
S0024 | Dyre |
Dyre has the ability to create files in a TEMP folder to act as a database to store information.[24] |
S0593 | ECCENTRICBANDWAGON |
ECCENTRICBANDWAGON has stored keystrokes and screenshots within the |
S0081 | Elise |
Elise creates a file in |
S0343 | Exaramel for Windows |
Exaramel for Windows specifies a path to store files scheduled for exfiltration.[27] |
G0053 | FIN5 |
FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.[28] |
S0036 | FLASHFLOOD |
FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.[29] |
S0503 | FrameworkPOS |
FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.[30] |
G0093 | GALLIUM |
GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.[31] |
S0249 | Gold Dragon |
Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.[32] |
S0170 | Helminth |
Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.[33] |
G0072 | Honeybee |
Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[34] |
G0119 | Indrik Spider |
Indrik Spider has stored collected date in a .tmp file.[35] |
S0260 | InvisiMole |
InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.[36][37] |
S0265 | Kazuar |
Kazuar stages command output and collected data in files before exfiltration.[38] |
S0526 | KGH_SPY |
KGH_SPY can save collected system information to a file named "info" before exfiltration.[39] |
G0094 | Kimsuky |
Kimsuky has staged collected data files under |
G0032 | Lazarus Group |
Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.[41][42] |
G0065 | Leviathan |
Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[43][44] |
S0395 | LightNeuron |
LightNeuron can store email data in files and directories specified in its configuration, such as |
S0409 | Machete |
Machete stores files and logs in a folder on the local drive.[46][47] |
S0652 | MarkiRAT |
MarkiRAT can store collected data locally in a created .nfo file.[48] |
G0045 | menuPass |
menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.[49] |
S0443 | MESSAGETAP |
MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.[50] |
S0149 | MoonWind |
MoonWind saves information from its keylogging routine as a .zip file in the present working directory.[51] |
G0129 | Mustang Panda |
Mustang Panda has stored collected credential files in |
S0247 | NavRAT |
NavRAT writes multiple outputs to a TMP file using the >> method.[54] |
S0198 | NETWIRE |
NETWIRE has the ability to write collected data to a file created in the |
S0353 | NOKKI |
NOKKI can collect data from the victim and stage it in |
S0644 | ObliqueRAT |
ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.[57] |
S0340 | Octopus |
Octopus has stored collected information in the Application Data directory on a compromised host.[58][59] |
S0264 | OopsIE |
OopsIE stages the output from command execution and collected files in specific folders before exfiltration.[60] |
G0116 | Operation Wocao |
Operation Wocao has staged archived files in a temporary directory prior to exfiltration.[61] |
G0040 | Patchwork |
Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.[10] |
S0012 | PoisonIvy | |
S0113 | Prikormka |
Prikormka creates a directory, |
S0147 | Pteranodon |
Pteranodon creates various subdirectories under |
S0196 | PUNCHBUGGY |
PUNCHBUGGY has saved information to a random temp file before exfil.[65] |
S0197 | PUNCHTRACK |
PUNCHTRACK aggregates collected data in a tmp file.[66] |
S0650 | QakBot |
QakBot has stored stolen emails and other data into new folders prior to exfiltration.[67] |
S0629 | RainyDay |
RainyDay can use a file exfiltration tool to copy files to |
S0458 | Ramsay |
Ramsay can stage data prior to exfiltration in |
S0169 | RawPOS |
Data captured by RawPOS is placed in a temporary file under a directory named "memdump".[71] |
S0090 | Rover | |
G0121 | Sidewinder |
Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.[73] |
S0615 | SombRAT |
SombRAT can store harvested data in a custom database under the %TEMP% directory.[74] |
S0035 | SPACESHIP |
SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.[29] |
G0088 | TEMP.Veles |
TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.[75] |
G0027 | Threat Group-3390 |
Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.[76] |
S0094 | Trojan.Karagany |
Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.[77][78] |
S0647 | Turian |
Turian can store copied files in a specific directory prior to exfiltration.[8] |
S0386 | Ursnif |
Ursnif has used tmp files to stage gathered information.[79] |
S0136 | USBStealer |
USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.[80][81] |
S0251 | Zebrocy |
Zebrocy stores all collected information in a single file before exfiltration.[82] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
File Creation |
Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.