T1074.002 Remote Data Staging
Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.1
By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.
Item | Value |
---|---|
ID | T1074.002 |
Sub-techniques | T1074.001, T1074.002 |
Tactics | TA0009 |
Platforms | IaaS, Linux, Windows, macOS |
Version | 1.1 |
Created | 13 March 2020 |
Last Modified | 08 March 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0007 | APT28 | APT28 has staged archives of collected data on a target’s Outlook Web Access (OWA) server.6 |
S1043 | ccf32 | ccf32 has copied files to a remote machine infected with Chinoxy or another backdoor.2 |
G0114 | Chimera | Chimera has staged stolen data on designated servers in the target environment.4 |
G0037 | FIN6 | FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.5 |
G0061 | FIN8 | FIN8 aggregates staged data from a network into a single location.10 |
G0065 | Leviathan | Leviathan has staged data remotely prior to exfiltration.9 |
G0045 | menuPass | menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.78 |
C0002 | Night Dragon | During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them.11 |
C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 staged data and files in password-protected archives on a victim’s OWA server.12 |
G0027 | Threat Group-3390 | Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.3 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
References
-
Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. ↩
-
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. ↩
-
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. ↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩
-
FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. ↩
-
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. ↩
-
Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. ↩
-
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. ↩
-
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. ↩
-
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. ↩
-
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. ↩