Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Data Staged:  Промежуточное хранение данных (локально)

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)

ID: T1074.001
Относится к технике:  T1074
Тактика(-и): Collection
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, File: File Access, File: File Creation, Windows Registry: Windows Registry Key Modification
Версия: 1.1
Дата создания: 13 Mar 2020
Последнее изменение: 26 Aug 2024

Примеры процедур

Название Описание
OopsIE

OopsIE stages the output from command execution and collected files in specific folders before exfiltration.(Citation: Unit 42 OopsIE! Feb 2018)

AuTo Stealer

AuTo Stealer can store collected data from an infected host to a file named `Hostname_UserName.txt` prior to exfiltration.(Citation: MalwareBytes SideCopy Dec 2021)

CHIMNEYSWEEP

CHIMNEYSWEEP can store captured screenshots to disk including to a covert store named `APPX.%x%x%x%x%x.tmp` where `%x` is a random value.(Citation: Mandiant ROADSWEEP August 2022)

SLIGHTPULSE

SLIGHTPULSE has piped the output from executed commands to `/tmp/1`.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

Dtrack

Dtrack can save collected data to disk, different file formats, and network shares.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)

Milan

Milan has saved files prior to upload from a compromised host to folders beginning with the characters `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021)

NavRAT

NavRAT writes multiple outputs to a TMP file using the >> method.(Citation: Talos NavRAT May 2018)

Threat Group-3390

Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.(Citation: SecureWorks BRONZE UNION June 2017)

Sidewinder

Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.(Citation: ATT Sidewinder January 2021)

Ursnif

Ursnif has used tmp files to stage gathered information.(Citation: TrendMicro Ursnif Mar 2015)

FunnyDream

FunnyDream can stage collected information including screen captures and logged keystrokes locally.(Citation: Bitdefender FunnyDream Campaign November 2020)

During the C0032 campaign, TEMP.Veles used staging folders that are infrequently used by legitimate users or processes to store data for exfiltration and tool deployment.(Citation: FireEye TRITON 2019)

Operation Wocao

Operation Wocao has staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019)

TEMP.Veles

TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.(Citation: FireEye TRITON 2019)

FIN5

FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016)

Dyre

Dyre has the ability to create files in a TEMP folder to act as a database to store information.(Citation: Malwarebytes Dyreza November 2015)

BadPatch

BadPatch stores collected data in log files before exfiltration.(Citation: Unit 42 BadPatch Oct 2017)

DarkWatchman

DarkWatchman can stage local data in the Windows Registry.(Citation: Prevailion DarkWatchman 2021)

During Operation Honeybee, stolen data was copied into a text file using the format `From (- --).txt` prior to compression, encoding, and exfiltration.(Citation: McAfee Honeybee)

During Operation Wocao, threat actors staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019)

Patchwork

Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.(Citation: TrendMicro Patchwork Dec 2017)

metaMain

metaMain has stored the collected system files in a working directory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)

Mafalda

Mafalda can place retrieved files into a destination directory.(Citation: SentinelLabs Metador Sept 2022)

MacMa

MacMa has stored collected files locally before exfiltration.(Citation: Objective-See MacMa Nov 2021)

Carbon

Carbon creates a base directory that contains the files and folders that are collected.(Citation: ESET Carbon Mar 2017)

Ramsay

Ramsay can stage data prior to exfiltration in %APPDATA%\Microsoft\UserSetting and %APPDATA%\Microsoft\UserSetting\MediaCache.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

During C0015, PowerView's file share enumeration results were stored in the file `c:\ProgramData\found_shares.txt`.(Citation: DFIR Conti Bazar Nov 2021)

APT5

APT5 has staged data on compromised systems prior to exfiltration often in `C:\Users\Public`.(Citation: Mandiant Pulse Secure Update May 2021)

TeamTNT

TeamTNT has aggregated collected credentials in text files before exfiltrating.(Citation: Cisco Talos Intelligence Group)

Cuckoo Stealer

Cuckoo Stealer has staged collected application data from Safari, Notes, and Keychain to `/var/folder`.(Citation: Kandji Cuckoo April 2024)

InvisiMole

InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Indrik Spider

Indrik Spider has stored collected data in a .tmp file.(Citation: Symantec WastedLocker June 2020)

Agrius

Agrius has used the folder, C:\\windows\\temp\\s\\, to stage data for exfiltration.(Citation: Unit42 Agrius 2023)

SUGARDUMP

SUGARDUMP has stored collected data under `%%\\CrashLog.txt`.(Citation: Mandiant UNC3890