Skip to content

T1074.001 Local Data Staging

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.1

Item Value
ID T1074.001
Sub-techniques T1074.001, T1074.002
Tactics TA0009
Platforms Linux, Windows, macOS
Version 1.1
Created 13 March 2020
Last Modified 21 April 2022

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.33
S0622 AppleSeed AppleSeed can stage files in a central location prior to exfiltration.40
G0007 APT28 APT28 has stored captured credential information in a file named pi.log.77
G0022 APT3 APT3 has been known to stage files for exfiltration in a single location.71
G0087 APT39 APT39 has utilized tools to aggregate data prior to exfiltration.82
S0373 Astaroth Astaroth collects data in a plaintext file named r1.log before exfiltration. 25
S0438 Attor Attor has staged collected data in a central upload directory prior to exfiltration.32
G0135 BackdoorDiplomacy BackdoorDiplomacy has copied files of interest to the main drive’s recycle bin.61
S0128 BADNEWS BADNEWS copies documents under 15MB found on the victim system to is the user’s %temp%\SMB\ folder. It also copies files from USB devices to a predefined directory.4445
S0337 BadPatch BadPatch stores collected data in log files before exfiltration.36
S0651 BoxCaon BoxCaon has created a working folder for collected files that it sends to the C2 server.24
S0274 Calisto Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.3031
S0335 Carbon Carbon creates a base directory that contains the files and folders that are collected.13
S0261 Catchamas Catchamas stores the gathered data from the machine in .db files and .bmp files under four separate locations.20
G0114 Chimera Chimera has staged stolen data locally on compromised hosts.63
S0538 Crutch Crutch has staged stolen files in the C:\AMD\Temp directory.7
S0673 DarkWatchman DarkWatchman can stage local data in the Windows Registry.1
G0035 Dragonfly Dragonfly has created a directory named “out” in the user’s %AppData% folder and copied files to it.83
S0567 Dtrack Dtrack can save collected data to disk, different file formats, and network shares.5556
S0038 Duqu Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.54
S0062 DustySky DustySky created folders in temp directories to host collected files before exfiltration.34
S0024 Dyre Dyre has the ability to create files in a TEMP folder to act as a database to store information.53
S0593 ECCENTRICBANDWAGON ECCENTRICBANDWAGON has stored keystrokes and screenshots within the %temp%\GoogleChrome, %temp%\Downloads, and %temp%\TrendMicroUpdate directories.28
S0081 Elise Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.2
S0343 Exaramel for Windows Exaramel for Windows specifies a path to store files scheduled for exfiltration.21
G0053 FIN5 FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.80
S0036 FLASHFLOOD FLASHFLOOD stages data it copies from the local system or removable drives in the “%WINDIR%\$NtUninstallKB885884$" directory.9
S0503 FrameworkPOS FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.12
G0093 GALLIUM GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.74
S0249 Gold Dragon Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.18
S0170 Helminth Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.62
G0072 Honeybee Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.79
G0119 Indrik Spider Indrik Spider has stored collected date in a .tmp file.72
S0260 InvisiMole InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.4243
S0265 Kazuar Kazuar stages command output and collected data in files before exfiltration.4
S0526 KGH_SPY KGH_SPY can save collected system information to a file named “info” before exfiltration.60
G0094 Kimsuky Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.6970
G0032 Lazarus Group Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.6566
G0065 Leviathan Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.7576
S0395 LightNeuron LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\.5
S0409 Machete Machete stores files and logs in a folder on the local drive.1011
S0652 MarkiRAT MarkiRAT can store collected data locally in a created .nfo file.37
G0045 menuPass menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.81
S0443 MESSAGETAP MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.52
S0149 MoonWind MoonWind saves information from its keylogging routine as a .zip file in the present working directory.6
G0129 Mustang Panda Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.6768
S0247 NavRAT NavRAT writes multiple outputs to a TMP file using the >> method.50
S0198 NETWIRE NETWIRE has the ability to write collected data to a file created in the ./LOGS directory.38
S0353 NOKKI NOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.22
S0644 ObliqueRAT ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.14
S0340 Octopus Octopus has stored collected information in the Application Data directory on a compromised host.4647
S0264 OopsIE OopsIE stages the output from command execution and collected files in specific folders before exfiltration.49
G0116 Operation Wocao Operation Wocao has staged archived files in a temporary directory prior to exfiltration.78
G0040 Patchwork Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.45
S0012 PoisonIvy PoisonIvy stages collected data in a text file.39
S0113 Prikormka Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.23
S0147 Pteranodon Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.3
S0196 PUNCHBUGGY PUNCHBUGGY has saved information to a random temp file before exfil.15
S0197 PUNCHTRACK PUNCHTRACK aggregates collected data in a tmp file.29
S0650 QakBot QakBot has stored stolen emails and other data into new folders prior to exfiltration.19
S0629 RainyDay RainyDay can use a file exfiltration tool to copy files to C:\ProgramData\Adobe\temp prior to exfiltration.57
S0458 Ramsay Ramsay can stage data prior to exfiltration in %APPDATA%\Microsoft\UserSetting and %APPDATA%\Microsoft\UserSetting\MediaCache.2627
S0169 RawPOS Data captured by RawPOS is placed in a temporary file under a directory named “memdump”.51
S0090 Rover Rover copies files from removable drives to C:\system.41
G0121 Sidewinder Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.73
S0615 SombRAT SombRAT can store harvested data in a custom database under the %TEMP% directory.8
S0035 SPACESHIP SPACESHIP identifies files with certain extensions and copies them to a directory in the user’s profile.9
G0088 TEMP.Veles TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.84
G0027 Threat Group-3390 Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.64
S0094 Trojan.Karagany Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.1617
S0647 Turian Turian can store copied files in a specific directory prior to exfiltration.61
S0386 Ursnif Ursnif has used tmp files to stage gathered information.35
S0136 USBStealer USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.5859
S0251 Zebrocy Zebrocy stores all collected information in a single file before exfiltration.48

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0024 Windows Registry Windows Registry Key Modification

References

  1. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  2. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. 

  3. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  4. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  5. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  6. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  7. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  8. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  9. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. 

  10. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  11. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  12. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. 

  13. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. 

  14. Malhotra, A. (2021, March 2). https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html. Retrieved September 2, 2021. 

  15. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  16. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. 

  17. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  18. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  19. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  20. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. 

  21. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  22. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. 

  23. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  24. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  25. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. 

  26. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  27. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  28. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. 

  29. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  30. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. 

  31. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. 

  32. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  33. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  34. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  35. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. 

  36. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  37. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  38. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  39. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. 

  40. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  41. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. 

  42. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  43. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  44. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  45. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  46. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  47. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  48. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  49. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  50. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017. 

  51. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. 

  52. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. 

  53. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. 

  54. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  55. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  56. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  57. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. 

  58. Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. 

  59. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  60. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  61. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  62. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  63. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. 

  64. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  65. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. 

  66. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  67. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. 

  68. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  69. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  70. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. 

  71. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  72. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  73. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  74. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  75. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021. 

  76. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. 

  77. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  78. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  79. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. 

  80. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. 

  81. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  82. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  83. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. 

Back to top