T1074 - Data Staged#
Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)
In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.(Citation: Mandiant M-Trends 2020)
Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
Atomic Tests:#
Currently, no tests are available for this technique.
Detection#
Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
Shield Active Defense#
Pocket Litter#
Place data on a system to reinforce the legitimacy of the system or user.
Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user’s computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).
Opportunity#
In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary’s behaviors, test their interest in specific topics, or add legitimacy to a system or environment.
Use Case#
A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network.
Procedures#
When staging a decoy system and user account, populate a user’s folders and web history to make it look realistic to an adversary. Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.