Data Staged: Промежуточное хранение данных (локально)
Other sub-techniques of Data Staged (2)
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
Примеры процедур |
|
Название | Описание |
---|---|
OopsIE |
OopsIE stages the output from command execution and collected files in specific folders before exfiltration.(Citation: Unit 42 OopsIE! Feb 2018) |
AuTo Stealer |
AuTo Stealer can store collected data from an infected host to a file named `Hostname_UserName.txt` prior to exfiltration.(Citation: MalwareBytes SideCopy Dec 2021) |
CHIMNEYSWEEP |
CHIMNEYSWEEP can store captured screenshots to disk including to a covert store named `APPX.%x%x%x%x%x.tmp` where `%x` is a random value.(Citation: Mandiant ROADSWEEP August 2022) |
SLIGHTPULSE |
SLIGHTPULSE has piped the output from executed commands to `/tmp/1`.(Citation: Mandiant Pulse Secure Zero-Day April 2021) |
Dtrack |
Dtrack can save collected data to disk, different file formats, and network shares.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack) |
Milan |
Milan has saved files prior to upload from a compromised host to folders beginning with the characters `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021) |
NavRAT |
NavRAT writes multiple outputs to a TMP file using the >> method.(Citation: Talos NavRAT May 2018) |
Threat Group-3390 |
Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.(Citation: SecureWorks BRONZE UNION June 2017) |
Sidewinder |
Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.(Citation: ATT Sidewinder January 2021) |
Ursnif |
Ursnif has used tmp files to stage gathered information.(Citation: TrendMicro Ursnif Mar 2015) |
FunnyDream |
FunnyDream can stage collected information including screen captures and logged keystrokes locally.(Citation: Bitdefender FunnyDream Campaign November 2020) |
During the C0032 campaign, TEMP.Veles used staging folders that are infrequently used by legitimate users or processes to store data for exfiltration and tool deployment.(Citation: FireEye TRITON 2019) |
|
Operation Wocao |
Operation Wocao has staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019) |
TEMP.Veles |
TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.(Citation: FireEye TRITON 2019) |
FIN5 |
FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016) |
Dyre |
Dyre has the ability to create files in a TEMP folder to act as a database to store information.(Citation: Malwarebytes Dyreza November 2015) |
BadPatch |
BadPatch stores collected data in log files before exfiltration.(Citation: Unit 42 BadPatch Oct 2017) |
DarkWatchman |
DarkWatchman can stage local data in the Windows Registry.(Citation: Prevailion DarkWatchman 2021) |
During Operation Honeybee, stolen data was copied into a text file using the format `From |
|
During Operation Wocao, threat actors staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019) |
|
Patchwork |
Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.(Citation: TrendMicro Patchwork Dec 2017) |
metaMain |
metaMain has stored the collected system files in a working directory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
Mafalda |
Mafalda can place retrieved files into a destination directory.(Citation: SentinelLabs Metador Sept 2022) |
MacMa |
MacMa has stored collected files locally before exfiltration.(Citation: Objective-See MacMa Nov 2021) |
Carbon |
Carbon creates a base directory that contains the files and folders that are collected.(Citation: ESET Carbon Mar 2017) |
Ramsay |
Ramsay can stage data prior to exfiltration in |
During C0015, PowerView's file share enumeration results were stored in the file `c:\ProgramData\found_shares.txt`.(Citation: DFIR Conti Bazar Nov 2021) |
|
APT5 |
APT5 has staged data on compromised systems prior to exfiltration often in `C:\Users\Public`.(Citation: Mandiant Pulse Secure Update May 2021) |
TeamTNT |
TeamTNT has aggregated collected credentials in text files before exfiltrating.(Citation: Cisco Talos Intelligence Group) |
Cuckoo Stealer |
Cuckoo Stealer has staged collected application data from Safari, Notes, and Keychain to `/var/folder`.(Citation: Kandji Cuckoo April 2024) |
InvisiMole |
InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
Indrik Spider |
Indrik Spider has stored collected data in a .tmp file.(Citation: Symantec WastedLocker June 2020) |
Agrius |
Agrius has used the folder, |
SUGARDUMP |
SUGARDUMP has stored collected data under `% |