Discover recently used files on a system and prepare a staging directory. Copy all of those 
discovered files to the staging directory then compress the directory to prepare it for exfiltration.


File Hunter

Copy files to a different directory. Hackers will often stage files instead of steal the original copies in order
to be less noticeable.


Stage collected files

Data Staged

Locate files modified in the last 24 hours. Recently modified files typically mean they carry some significance and
a hacker can look for these instead of looking at each file on a system to determine worth.


Find recent files

Data from Local System

Creating a staging directory is often a precursor to copying files into it. Hackers will do this in order to
exfiltrate important files without getting caught.


Create new directory

Compressing a directory has many purposes, mainly making the contents smaller and condensing them to a single file.
A hacker will tend to do this before trying to steal files from a computer because it is less noticeable to
steal a small file than a large number of bigger files.


File Hunter

Execute this chain

TTPs

Tags

Tactics