Skip to content

T1074 Data Staged

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.2

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.1

Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

Item Value
ID T1074
Sub-techniques T1074.001, T1074.002
Tactics TA0009
Platforms IaaS, Linux, Windows, macOS
Version 1.4
Created 31 May 2017
Last Modified 20 July 2022

Procedure Examples

ID Name Description
S1020 Kevin Kevin can create directories to store logs and other collected data.4
S0641 Kobalos Kobalos can write captured SSH connection credentials to a file under the /var/run directory with a .pid extension for exfiltration.5
S1019 Shark Shark has stored information in folders named U1 and U2 prior to exfiltration.3
G0102 Wizard Spider Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.6


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0024 Windows Registry Windows Registry Key Modification