# T1074 Data Staged

-----------------------------------------------------------------------

## Technique Description

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)

Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

## Technique Detection

Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Windows

  * IaaS

  * Linux

  * macOS

### Data Sources:

  * **File:** File Creation

  * **Windows Registry:** Windows Registry Key Modification

  * **File:** File Access

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has collected and staged credentials and network enumeration information, using  the networkdll and psfin [TrickBot](https://attack.mitre.org/software/S0266) modules.(Citation: CrowdStrike Grim Spider May 2019)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1074)

  * [Pwc Cloud Hopper April 2017](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf), PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.

  * [Mandiant M-Trends 2020](https://content.fireeye.com/m-trends/rpt-m-trends-2020), Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Data staging may be detected by conducting file creation monitoring, process command-line parameters,  and process monitoring.
- Adversaries will stage collected data in a central location or directory prior to Exfiltration.



## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | 1 | |
| APT29 | 2, 3, 4 | |

#### APT28
- has stored captured credential information in a file named pi.log.
- ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.
- USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.
- Zebrocy stores all collected information in a single file before exfiltration.

#### Turla	
- Carbon creates a base directory that contains the files and folders that are collected.
- Kazuar stages command output and collected data in files before exfiltration.
- LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\.

## Detection Blindspots

- Information Here

## Analytical References

  * [Atomic Red Team T1074.001 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md)
  * [ESET Sednit Part 2 2016 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf)
  * [Microsoft Security Intelligence Report Volume 19 (microsoft)](http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf)
  * [Carbon Paper Peering Turlas Second Stage Backdoor (welivesecurity)](https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/)
  * [Kazuar Multiplatform Espionage Backdoor - API Access (paloaltonetworks)](https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/)
  * [ESET LightNeuron 2019 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf)
  * [Sednit Espionage Group Attacking Air-Gapped Networks 2014 (welivesecurity)](https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/)
  * [Sednit Whats Going Zebrocy (welivesecurity)](https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/)


-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.
- Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
- Monitor processes and command-line arguments for actions that could be taken to collect and combine files.
- Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location.
- Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

#### Analytic 1

  * **Information:** APT28 previously observed file naming conventions

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** Filenames are easily changed, but could provide a quick kill if they still use them

  * **Query Pseudo:** ```event.code : 11 AND (TargetFilename contains *Temp* and like __####tmp.dat OR TargetFilename: *pi.log)```


#### Analytic 2

  * **Information:** LightNeuron (Turla)

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.code : 11 and TargetFilename beings with C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp```

#### Analytic 3 

  * **Information:** Kazuar (Turla)
  
  * **Notes:** The Trojan creates a set of folders on the system to store various files created during its execution. Kazuar creates its folders using group names, which logically organize the files contained within the folder {base, sys, log, plg, tsk, and res} combined with the local system path to the %LOCALAPPDATA% folder

#### Analytic 4

  * **Information:** Carbon (Turla)
  
  * **Notes:**   A base working directory will contain the files/folders related to Carbon. This directory is chosen randomly among the folders in %ProgramFiles% but excluding “WindowsApps”. The Carbon working directory is retrieved by walking through the “%windir%\inf” folder and looking for the file that contains the Carbon base path.


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

