Description
Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.(Citation: Mandiant M-Trends 2020)
Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
Platforms
Sub-Techniques (2)
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has collected and staged credentials and network enumeration information, using the networkdll... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has staged collected data in password-protected archives.(Citation: Microsoft Volt Typhoon May 2... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has staged compressed files in specified locations prior to exfiltration over C2.(Citation: FB... |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has staged data on compromised hosts prior to exfiltration.(Citation: Huntress INC Ransom Group Au... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) stages data in a centralized database prior to exfiltration.(Citation: CISA Scattered Spider... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0641 | Kobalos | Malware | [Kobalos](https://attack.mitre.org/software/S0641) can write captured SSH connection credentials to a file under the <code>/var/run</code> directory w... |
| S1020 | Kevin | Malware | [Kevin](https://attack.mitre.org/software/S1020) can create directories to store logs and other collected data.(Citation: Kaspersky Lyceum October 202... |
| S1076 | QUIETCANARY | Malware | [QUIETCANARY](https://attack.mitre.org/software/S1076) has the ability to stage data prior to exfiltration.(Citation: Mandiant Suspected Turla Campaig... |
| S1019 | Shark | Malware | [Shark](https://attack.mitre.org/software/S1019) has stored information in folders named `U1` and `U2` prior to exfiltration.(Citation: ClearSky Siame... |
References
- Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
Frequently Asked Questions
What is T1074 (Data Staged)?
T1074 is a MITRE ATT&CK technique named 'Data Staged'. It belongs to the Collection tactic(s). Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collecte...
How can T1074 be detected?
Detection of T1074 (Data Staged) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1074?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1074?
Known threat groups using T1074 include: Wizard Spider, Volt Typhoon, VOID MANTICORE, INC Ransom, Scattered Spider.