Data Staged (T1074)

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.(Citation: Mandiant M-Trends 2020) Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

Source: https://github.com/mitre/cti
Related Prelude attack chains
Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Windows
  • Linux
  • Darwin
  • Global
  • Android

Themes

Tags

Licenses

Is this host protected from Qakbot?

2022-08-15

/static/assets/windows-logo.svg
Emulates Qakbot's privilege escalation, defense evasion and data collection/exfiltration tactics.
APT38 Sony Hack

2022-05-24

/static/assets/windows-logo.svg
A Prelude portrayal of the 2014 hack on Sony attributed to APT38.
APT40 educational institutions

2022-05-03

/static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg
Perform process injection and native API execution techniques.
Conti Collect and Exfiltrate

2022-02-08

/static/assets/windows-logo.svg
Automatically collect information and exfiltrate with rclone to a cloud service.
Windows LotL Ransomware

2021-12-21

/static/assets/windows-logo.svg
Deploy a Windows live-off-the-land ransomware attack.
Linux LotL Ransomware

2021-12-14

/static/assets/linux-logo.svg
Deploy a linux live-off-the-land ransomware attack.
Vulnerable Certificates

2021-10-19

/static/assets/windows-logo.svg
Ingress, load, and run Certify to find vulnerable certificates.
SharpHound

2021-09-07

/static/assets/windows-logo.svg
Ingress, load, and run the SharpHound collector.
Kaseya VSA Attack

2021-08-16

/static/assets/windows-logo.svg
Side-load an agent using components of the REvil ransomware attack kill chain.
File Hunter

2021-08-10

/static/assets/windows-logo.svg/static/assets/linux-logo.svg/static/assets/apple-logo.svg
Automatically discover and prepare files for exfiltration.
Ransomware

2021-08-10

/static/assets/windows-logo.svg/static/assets/linux-logo.svg/static/assets/apple-logo.svg
Deploy a safe cross-platform ransomware attack.
GhostLoader

2021-07-06

/static/assets/windows-logo.svg
Use the "GhostLoader" technique to run assemblies compiled on the target system.