T1074 Data Staged
Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.2
In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.1
Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
| Item | Value |
|---|---|
| ID | T1074 |
| Sub-techniques | T1074.001, T1074.002 |
| Tactics | TA0009 |
| Platforms | ESXi, IaaS, Linux, Windows, macOS |
| Version | 1.5 |
| Created | 31 May 2017 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1032 | INC Ransom | INC Ransom has staged data on compromised hosts prior to exfiltration.109 |
| S1020 | Kevin | Kevin can create directories to store logs and other collected data.4 |
| S0641 | Kobalos | Kobalos can write captured SSH connection credentials to a file under the /var/run directory with a .pid extension for exfiltration.3 |
| S1076 | QUIETCANARY | QUIETCANARY has the ability to stage data prior to exfiltration.5 |
| G1015 | Scattered Spider | Scattered Spider stages data in a centralized database prior to exfiltration.11 |
| S1019 | Shark | Shark has stored information in folders named U1 and U2 prior to exfiltration.6 |
| G1017 | Volt Typhoon | Volt Typhoon has staged collected data in password-protected archives.8 |
| G0102 | Wizard Spider | Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.7 |
References
-
Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. ↩
-
M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. ↩
-
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. ↩
-
Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. ↩
-
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. ↩
-
John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. ↩
-
Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023. ↩
-
SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024. ↩
-
Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. ↩
-
CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024. ↩