Description
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
Platforms
Threat Groups (28)
| ID | Group | Context |
|---|---|---|
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has locally staged captured credentials for subsequent manual exfiltration.(Citation: rapid7-email... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has locally staged encrypted archives for later exfiltration efforts.(Citation: SecureWorks... |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has collected stolen files in a temporary folder in preparation for exfiltration.(Citation: ATT Si... |
| G0053 | FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Ma... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) copied all targeted files to a directory called index that was eventually uploaded to the C&C serve... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has staged collected documents of interest in `C:\Users\Public folder`.(Citation: Palo Alto Ashen Lepus... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has staged captured credentials in `var/log/ldapd<unique_keyword>.2.gz`.(Citation: Google Cloud Mand... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has staged data on compromised systems prior to exfiltration often in `C:\Users\Public`.(Citation: Mandi... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has locally staged compressed and archived data for follow-on exfiltration.(Citation: Cisco Lot... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has aggregated collected credentials in text files before exfiltrating.(Citation: Cisco Talos Intelli... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has stored collected data in a .tmp file.(Citation: Symantec WastedLocker June 2020) |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) has used the folder, <code>C:\\windows\\temp\\s\\</code>, to stage data for exfiltration.(Citation: Un... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is saved in the %... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has staged stolen data locally on compromised hosts.(Citation: NCC Group Chimera January 2021) |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has stored a decoy PDF file within a victim's `%temp%` folder.(Citation: Talos MuddyWater Jan 2022... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has been known to stage files for exfiltration in a single location.(Citation: aptsim) |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has staged ZIP files in local directories such as, `C:\PerfLogs\1\` and `C:\User\1\` prior to e... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has staged collected data files under <code>C:\Program Files\Common Files\System\Ole DB\</code>.(Cita... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has utilized tools to aggregate data prior to exfiltration.(Citation: FBI FLASH APT39 September 2020) |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.(Citation... |
Associated Software (94)
| ID | Name | Type | Context |
|---|---|---|---|
| S0264 | OopsIE | Malware | [OopsIE](https://attack.mitre.org/software/S0264) stages the output from command execution and collected files in specific folders before exfiltration... |
| S1029 | AuTo Stealer | Malware | [AuTo Stealer](https://attack.mitre.org/software/S1029) can store collected data from an infected host to a file named `Hostname_UserName.txt` prior t... |
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can store captured screenshots to disk including to a covert store named `APPX.%x%x%x%x%x.tmp`... |
| S1110 | SLIGHTPULSE | Malware | [SLIGHTPULSE](https://attack.mitre.org/software/S1110) has piped the output from executed commands to `/tmp/1`.(Citation: Mandiant Pulse Secure Zero-D... |
| S0567 | Dtrack | Malware | [Dtrack](https://attack.mitre.org/software/S0567) can save collected data to disk, different file formats, and network shares.(Citation: Securelist Dt... |
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196) encrypts gathered information on victim devices prior to exfiltrating it through command and ... |
| S1015 | Milan | Malware | [Milan](https://attack.mitre.org/software/S1015) has saved files prior to upload from a compromised host to folders beginning with the characters `a98... |
| S0247 | NavRAT | Malware | [NavRAT](https://attack.mitre.org/software/S0247) writes multiple outputs to a TMP file using the >> method.(Citation: Talos NavRAT May 2018) |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has used tmp files to stage gathered information.(Citation: TrendMicro Ursnif Mar 2015) |
| S1044 | FunnyDream | Malware | [FunnyDream](https://attack.mitre.org/software/S1044) can stage collected information including screen captures and logged keystrokes locally.(Citatio... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) has collected stolen web cookies locally in the `%TEMP%` folder.(Citation: ESET MirrorFace DEC 202... |
| S0024 | Dyre | Malware | [Dyre](https://attack.mitre.org/software/S0024) has the ability to create files in a TEMP folder to act as a database to store information.(Citation: ... |
| S0337 | BadPatch | Malware | [BadPatch](https://attack.mitre.org/software/S0337) stores collected data in log files before exfiltration.(Citation: Unit 42 BadPatch Oct 2017) |
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) can stage local data in the Windows Registry.(Citation: Prevailion DarkWatchman 2021) |
| S1059 | metaMain | Malware | [metaMain](https://attack.mitre.org/software/S1059) has stored the collected system files in a working directory.(Citation: SentinelLabs Metador Sept ... |
| S1060 | Mafalda | Malware | [Mafalda](https://attack.mitre.org/software/S1060) can place retrieved files into a destination directory.(Citation: SentinelLabs Metador Sept 2022) |
| S9036 | LP-Notes | Malware | [LP-Notes](https://attack.mitre.org/software/S9036) has stored collected credentials in ` C:\Users\Public\Downloads\lp-notes.txt`.(Citation: ESET_Mudd... |
| S1016 | MacMa | Malware | [MacMa](https://attack.mitre.org/software/S1016) has stored collected files locally before exfiltration.(Citation: Objective-See MacMa Nov 2021) |
| S0335 | Carbon | Malware | [Carbon](https://attack.mitre.org/software/S0335) creates a base directory that contains the files and folders that are collected.(Citation: ESET Carb... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can stage data prior to exfiltration in <code>%APPDATA%\Microsoft\UserSetting</code> and <code>%APPD... |
References
Frequently Asked Questions
What is T1074.001 (Local Data Staging)?
T1074.001 is a MITRE ATT&CK technique named 'Local Data Staging'. It belongs to the Collection tactic(s). Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such...
How can T1074.001 be detected?
Detection of T1074.001 (Local Data Staging) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1074.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1074.001?
Known threat groups using T1074.001 include: Storm-1811, Threat Group-3390, Sidewinder, FIN5, Patchwork, WIRTE, UNC3886, APT5.