Data Staged: Промежуточное хранение данных (локально)
Other sub-techniques of Data Staged (2)
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
Примеры процедур |
|
| Название | Описание |
|---|---|
| Exaramel for Windows |
Exaramel for Windows specifies a path to store files scheduled for exfiltration.(Citation: ESET TeleBots Oct 2018) |
| NOKKI |
NOKKI can collect data from the victim and stage it in |
| KOPILUWAK |
KOPILUWAK has piped the results from executed C2 commands to `%TEMP%\result2.dat` on the local machine.(Citation: Mandiant Suspected Turla Campaign February 2023) |
| VersaMem |
VersaMem staged captured credentials locally at `/tmp/.temp.data`.(Citation: Lumen Versa 2024) |
| Ursnif |
Ursnif has used tmp files to stage gathered information.(Citation: TrendMicro Ursnif Mar 2015) |
| FrameworkPOS |
FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows\.(Citation: FireEye FIN6 April 2016) |
| RainyDay |
RainyDay can use a file exfiltration tool to copy files to |
| AppleSeed |
AppleSeed can stage files in a central location prior to exfiltration.(Citation: Malwarebytes Kimsuky June 2021) |
| NETWIRE |
NETWIRE has the ability to write collected data to a file created in the |
| Turian |
Turian can store copied files in a specific directory prior to exfiltration.(Citation: ESET BackdoorDiplomacy Jun 2021) |
| Machete |
Machete stores files and logs in a folder on the local drive.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017) |
| PowerLess |
PowerLess can stage stolen browser data in `C:\\Windows\\Temp\\cup.tmp` and keylogger data in `C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK`.(Citation: Cybereason PowerLess February 2022) |
| Prikormka |
Prikormka creates a directory, |
| Mafalda |
Mafalda can place retrieved files into a destination directory.(Citation: SentinelLabs Metador Sept 2022) |
| AuTo Stealer |
AuTo Stealer can store collected data from an infected host to a file named `Hostname_UserName.txt` prior to exfiltration.(Citation: MalwareBytes SideCopy Dec 2021) |
| SombRAT |
SombRAT can store harvested data in a custom database under the %TEMP% directory.(Citation: BlackBerry CostaRicto November 2020) |
| FLASHFLOOD |
FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.(Citation: FireEye APT30) |
| LoFiSe |
LoFiSe can save files to be evaluated for further exfiltration in the `C:\Programdata\Microsoft\` and `C:\windows\temp\` folders. (Citation: Kaspersky ToddyCat Check Logs October 2023) |
| Cuckoo Stealer |
Cuckoo Stealer has staged collected application data from Safari, Notes, and Keychain to `/var/folder`.(Citation: Kandji Cuckoo April 2024) |
| InvisiMole |
InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
| MarkiRAT |
MarkiRAT can store collected data locally in a created .nfo file.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
| Kazuar |
Kazuar stages command output and collected data in files before exfiltration.(Citation: Unit 42 Kazuar May 2017) |
| NavRAT |
NavRAT writes multiple outputs to a TM |