Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.(Citation: Mandiant M-Trends 2020)
Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1074 | Data Staged |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1074 | Data Staged | |
| conditional_access | Conditional Access | technique_scores | T1074 | Data Staged |
Comments
This control only provides the ability to restrict file downloads for a limited set of applications and therefore its overall Coverage score is minimal.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1074.001 | Local Data Staging | 3 |
| T1074.002 | Remote Data Staging | 1 |