Data Staged: Local Data Staging
Other sub-techniques of Data Staged (2)
ID | Name |
---|---|
T1074.001 | Local Data Staging |
T1074.002 | Remote Data Staging |
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
Procedure Examples
Name | Description |
---|---|
ADVSTORESHELL |
ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.[1] |
APT28 |
APT28 has stored captured credential information in a file named pi.log.[2] |
APT3 |
APT3 has been known to stage files for exfiltration in a single location.[3] |
Astaroth |
Astaroth collects data in a plaintext file named r1.log before exfiltration. [4] |
Attor |
Attor has staged collected data in a central upload directory prior to exfiltration.[5] |
BADNEWS |
BADNEWS copies documents under 15MB found on the victim system to is the user's |
BadPatch |
BadPatch stores collected data in log files before exfiltration.[8] |
Calisto |
Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.[9][10] |
Carbon |
Carbon creates a base directory that contains the files and folders that are collected.[11] |
Catchamas |
Catchamas stores the gathered data from the machine in .db files and .bmp files under four separate locations.[12] |
Dragonfly 2.0 |
Dragonfly 2.0 created a directory named "out" in the user's %AppData% folder and copied files to it.[13] |
Duqu |
Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.[14] |
DustySky |
DustySky created folders in temp directories to host collected files before exfiltration.[15] |
Dyre |
Dyre has the ability to create files in a TEMP folder to act as a database to store information.[16] |
Elise |
Elise creates a file in |
Exaramel for Windows |
Exaramel for Windows specifies a path to store files scheduled for exfiltration.[18] |
FIN5 |
FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.[19] |
FLASHFLOOD |
FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.[20] |
FrameworkPOS |
FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.[21] |
Gold Dragon |
Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.[22] |
Helminth |
Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.[23] |
Honeybee |
Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[24] |
InvisiMole |
InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.[25][26] |
Kazuar |
Kazuar stages command output and collected data in files before exfiltration.[27] |
Lazarus Group |
Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.[28][29] |
Leviathan |
Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[30] |
LightNeuron |
LightNeuron can store email data in files and directories specified in its configuration, such as |
Machete |
Machete stores files and logs in a folder on the local drive.[32] |
Machete |
Machete created their own directories to drop files into.[33] |
menuPass |
menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.[34] |
MESSAGETAP |
MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.[35] |
MoonWind |
MoonWind saves information from its keylogging routine as a .zip file in the present working directory.[36] |
NavRAT |
NavRAT writes multiple outputs to a TMP file using the >> method.[37] |
NOKKI |
NOKKI can collect data from the victim and stage it in |
OopsIE |
OopsIE stages the output from command execution and collected files in specific folders before exfiltration.[39] |
Patchwork |
Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.[7] |
PoisonIvy | |
Prikormka |
Prikormka creates a directory, |
Pteranodon |
Pteranodon creates various subdirectories under |
PUNCHBUGGY |
PUNCHBUGGY has saved information to a random temp file before exfil.[43] |
PUNCHTRACK |
PUNCHTRACK aggregates collected data in a tmp file.[44] |
Ramsay |
Ramsay can stage data prior to exfiltration in |
RawPOS |
Data captured by RawPOS is placed in a temporary file under a directory named "memdump".[46] |
Rover | |
Soft Cell |
Soft Cell compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.[48] |
SPACESHIP |
SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.[20] |
TEMP.Veles |
TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.[49] |
Threat Group-3390 |
Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.[50] |
Trojan.Karagany |
Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.[51][52] |
Ursnif |
Ursnif has used tmp files to stage gathered information.[53] |
USBStealer |
USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.[54][55] |
Zebrocy |
Zebrocy stores all collected information in a single file before exfiltration.[56] |
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection
Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.
References
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
- Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
- Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
- Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
- ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
- Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
- Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
- Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
- Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
- Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
- Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
- Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.