Description
Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.(Citation: Mandiant M-Trends 2020)
By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.
Platforms
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has staged stolen data on designated servers in the target environment.(Citation: NCC Group Chimera J... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has gathered data and files of interest on a single victim machine.(Citation: Trend Micro Earth Ka... |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) staged collected email archives in the public web directory of a website that was accessible from ... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has staged data on remote MSP systems or other victim networks prior to exfiltration.(Citation: PWC ... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) aggregates staged data from a network into a single location.(Citation: FireEye Know Your Enemy FIN8 Aug... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has staged data remotely prior to exfiltration.(Citation: CISA AA21-200A APT40 July 2021) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has staged archives of collected data on a target's Outlook Web Access (OWA) server.(Citation: Cybersec... |
| G1019 | MoustachedBouncer | [MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used plugins to save captured screenshots to `.\AActdata\` on an SMB share.(Citation: M... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) manually transferred collected files to an exfiltration host using xcopy.(Citation: Kaspersky ToddyC... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) actors have compressed data from remote systems and moved it to another staging system before exfiltrati... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has moved staged encrypted archives to Internet-facing servers that had previously been com... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1043 | ccf32 | Malware | [ccf32](https://attack.mitre.org/software/S1043) has copied files to a remote machine infected with [Chinoxy](https://attack.mitre.org/software/S1041)... |
References
Frequently Asked Questions
What is T1074.002 (Remote Data Staging)?
T1074.002 is a MITRE ATT&CK technique named 'Remote Data Staging'. It belongs to the Collection tactic(s). Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through...
How can T1074.002 be detected?
Detection of T1074.002 (Remote Data Staging) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1074.002?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1074.002?
Known threat groups using T1074.002 include: Chimera, MirrorFace, Sea Turtle, menuPass, FIN8, Leviathan, APT28, MoustachedBouncer.