T1074.001 Local Data Staging Mappings

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

View in MITRE ATT&CK®

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1074.001 Local Data Staging
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
    azure_sentinel Azure Sentinel technique_scores T1074.001 Local Data Staging
    Comments
    The Azure Sentinel Analytics "Malware in the recycle bin" query can detect local hidden malware.
    References
      conditional_access Conditional Access technique_scores T1074.001 Local Data Staging
      Comments
      Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.
      References