# T1074.001 Local Data Staging

-----------------------------------------------------------------------

## Technique Description

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.

Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)

## Technique Detection

Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Command:** Command Execution

  * **File:** File Creation

  * **Windows Registry:** Windows Registry Key Modification

  * **File:** File Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has copied files of interest to the main drive's recycle bin.(Citation: ESET BackdoorDiplomacy Jun 2021)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has stored collected credential files in <code>c:\windows\temp</code> prior to exfiltration. [Mustang Panda](https://attack.mitre.org/groups/G0129) has also stored documents for exfiltration in a hidden folder on USB drives.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has collected stolen files in a temporary folder in preparation for exfiltration.(Citation: ATT Sidewinder January 2021)| 
| Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has stored collected date in a .tmp file.(Citation: Symantec WastedLocker June 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019)	| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has staged stolen data locally on compromised hosts.(Citation: NCC Group Chimera January 2021)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has staged collected data files under <code>C:\Program Files\Common Files\System\Ole DB\</code>.(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)| 
| TEMP.Veles | [TEMP.Veles](https://attack.mitre.org/groups/G0088) has created staging folders in directories that were infrequently used by legitimate users or processes.(Citation: FireEye TRITON 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has utilized tools to aggregate data prior to exfiltration.(Citation: FBI FLASH APT39 September 2020)| 
| Honeybee | [Honeybee](https://attack.mitre.org/groups/G0072) adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.(Citation: McAfee Honeybee)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used C:\Windows\Debug and C:\Perflogs as staging directories.(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)| 
| FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.(Citation: PWC Cloud Hopper April 2017)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) copied all targeted files to a directory called index that was eventually uploaded to the C&C server.(Citation: TrendMicro Patchwork Dec 2017)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has created a directory named "out" in the user's %AppData% folder and copied files to it.(Citation: US-CERT TA18-074A)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has locally staged encrypted archives for later exfiltration efforts.(Citation: SecureWorks BRONZE UNION June 2017)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has been known to stage files for exfiltration in a single location.(Citation: aptsim)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has stored captured credential information in a file named pi.log.(Citation: Microsoft SIR Vol 19)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1074/001)

  * [Prevailion Darkwatchman 2021](https://www.prevailion.com/darkwatchman-new-fileless-techniques/), Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- 

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | 1, 2 | |

## Detection Blindspots

- Network would not be able to detect staging on the local system.

## Analytical References

  * [Other references: All custom links should go here](example.lan)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** APT28 may store captured credential information in a file named pi.log.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** File names are easily changed, but you can modify this query to fit findings on mission or newer intel. 

  * **Query:** Event_ID: 11 AND TargetFilename:*pi.log*

#### Analytic 2

  * **Information:** Identify lsass.exe process access

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** Filter out false positives and save to the search/dashboard. 

  * **Query:** Event_ID:10 AND TargetImage:lsass.exe



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- No anayltics for network since this happens on the local system. Related network traffic would be detected by other playbooks. (lateral movement, exfil)
