Data Staged: Local Data Staging

ID Name
T1074.001 Local Data Staging
T1074.002 Remote Data Staging

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.[1]

ID: T1074.001
Sub-technique of:  T1074
Tactic: Collection
Platforms: Linux, Windows, macOS
Contributors: Massimiliano Romano, BT Security
Version: 1.1
Created: 13 March 2020
Last Modified: 21 April 2022

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL

ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.[2]

S0622 AppleSeed

AppleSeed can stage files in a central location prior to exfiltration.[3]

G0007 APT28

APT28 has stored captured credential information in a file named pi.log.[4]

G0022 APT3

APT3 has been known to stage files for exfiltration in a single location.[5]

G0087 APT39

APT39 has utilized tools to aggregate data prior to exfiltration.[6]

S0373 Astaroth

Astaroth collects data in a plaintext file named r1.log before exfiltration. [7]

S0438 Attor

Attor has staged collected data in a central upload directory prior to exfiltration.[8]

G0135 BackdoorDiplomacy

BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.[9]

S0128 BADNEWS

BADNEWS copies documents under 15MB found on the victim system to is the user's %temp%\SMB\ folder. It also copies files from USB devices to a predefined directory.[10][11]

S0337 BadPatch

BadPatch stores collected data in log files before exfiltration.[12]

S0651 BoxCaon

BoxCaon has created a working folder for collected files that it sends to the C2 server.[13]

S0274 Calisto

Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.[14][15]

S0335 Carbon

Carbon creates a base directory that contains the files and folders that are collected.[16]

S0261 Catchamas

Catchamas stores the gathered data from the machine in .db files and .bmp files under four separate locations.[17]

G0114 Chimera

Chimera has staged stolen data locally on compromised hosts.[18]

S0538 Crutch

Crutch has staged stolen files in the C:\AMD\Temp directory.[19]

S0673 DarkWatchman

DarkWatchman can stage local data in the Windows Registry.[1]

G0035 Dragonfly

Dragonfly has created a directory named "out" in the user's %AppData% folder and copied files to it.[20]

S0567 Dtrack

Dtrack can save collected data to disk, different file formats, and network shares.[21][22]

S0038 Duqu

Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.[23]

S0062 DustySky

DustySky created folders in temp directories to host collected files before exfiltration.[24]

S0024 Dyre

Dyre has the ability to create files in a TEMP folder to act as a database to store information.[25]

S0593 ECCENTRICBANDWAGON

ECCENTRICBANDWAGON has stored keystrokes and screenshots within the %temp%\GoogleChrome, %temp%\Downloads, and %temp%\TrendMicroUpdate directories.[26]

S0081 Elise

Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.[27]

S0343 Exaramel for Windows

Exaramel for Windows specifies a path to store files scheduled for exfiltration.[28]

G0053 FIN5

FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.[29]

S0036 FLASHFLOOD

FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.[30]

S0503 FrameworkPOS

FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.[31]

G0093 GALLIUM

GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.[32]

S0249 Gold Dragon

Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.[33]

S0170 Helminth

Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.[34]

G0072 Honeybee

Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[35]

G0119 Indrik Spider

Indrik Spider has stored collected date in a .tmp file.[36]

S0260 InvisiMole

InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.[37][38]

S0265 Kazuar

Kazuar stages command output and collected data in files before exfiltration.[39]

S0526 KGH_SPY

KGH_SPY can save collected system information to a file named "info" before exfiltration.[40]

G0094 Kimsuky

Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.[41][42]

G0032 Lazarus Group

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.[43][44]

G0065 Leviathan

Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[45][46]

S0395 LightNeuron

LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\.[47]

S0409 Machete

Machete stores files and logs in a folder on the local drive.[48][49]

S0652 MarkiRAT

MarkiRAT can store collected data locally in a created .nfo file.[50]

G0045 menuPass

menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.[51]

S0443 MESSAGETAP

MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.[52]

S0149 MoonWind

MoonWind saves information from its keylogging routine as a .zip file in the present working directory.[53]

G0129 Mustang Panda

Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.[54][55]

S0247 NavRAT

NavRAT writes multiple outputs to a TMP file using the >> method.[56]

S0198 NETWIRE

NETWIRE has the ability to write collected data to a file created in the ./LOGS directory.[57]

S0353 NOKKI

NOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.[58]

S0644 ObliqueRAT

ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.[59]

S0340 Octopus

Octopus has stored collected information in the Application Data directory on a compromised host.[60][61]

S0264 OopsIE

OopsIE stages the output from command execution and collected files in specific folders before exfiltration.[62]

G0116 Operation Wocao

Operation Wocao has staged archived files in a temporary directory prior to exfiltration.[63]

G0040 Patchwork

Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.[11]

S0012 PoisonIvy

PoisonIvy stages collected data in a text file.[64]

S0113 Prikormka

Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.[65]

S0147 Pteranodon

Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.[66]

S0196 PUNCHBUGGY

PUNCHBUGGY has saved information to a random temp file before exfil.[67]

S0197 PUNCHTRACK

PUNCHTRACK aggregates collected data in a tmp file.[68]

S0650 QakBot

QakBot has stored stolen emails and other data into new folders prior to exfiltration.[69]

S0629 RainyDay

RainyDay can use a file exfiltration tool to copy files to C:\ProgramData\Adobe\temp prior to exfiltration.[70]

S0458 Ramsay

Ramsay can stage data prior to exfiltration in %APPDATA%\Microsoft\UserSetting and %APPDATA%\Microsoft\UserSetting\MediaCache.[71][72]

S0169 RawPOS

Data captured by RawPOS is placed in a temporary file under a directory named "memdump".[73]

S0090 Rover

Rover copies files from removable drives to C:\system.[74]

G0121 Sidewinder

Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.[75]

S0615 SombRAT

SombRAT can store harvested data in a custom database under the %TEMP% directory.[76]

S0035 SPACESHIP

SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.[30]

G0088 TEMP.Veles

TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.[77]

G0027 Threat Group-3390

Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.[78]

S0094 Trojan.Karagany

Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.[79][80]

S0647 Turian

Turian can store copied files in a specific directory prior to exfiltration.[9]

S0386 Ursnif

Ursnif has used tmp files to stage gathered information.[81]

S0136 USBStealer

USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.[82][83]

S0251 Zebrocy

Zebrocy stores all collected information in a single file before exfiltration.[84]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
File Creation
DS0024 Windows Registry Windows Registry Key Modification

Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

References

  1. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  2. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  3. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  4. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  5. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  6. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  7. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  8. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  9. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  10. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  11. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  12. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  13. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  14. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  15. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  16. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  17. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  18. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  19. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  20. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  21. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  22. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  23. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  24. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  25. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  26. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  27. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  28. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  29. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  30. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  31. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  32. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  33. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  34. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  35. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  36. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  37. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  38. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  39. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  40. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  41. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  42. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  3. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  4. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021.
  5. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  6. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  7. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  8. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  9. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  10. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  11. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  12. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  13. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  14. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  15. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  16. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  17. Malhotra, A. (2021, March 2). https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html. Retrieved September 2, 2021.
  18. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  19. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  20. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  21. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  22. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  23. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  24. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  25. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  26. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  27. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  28. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  29. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  30. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  31. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  32. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  33. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  34. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  35. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  36. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  37. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  38. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  39. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  40. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  41. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  42. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.