T1074.002: Remote Data Staging

Data from MITRE ATT&CK®:

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.(Citation: Mandiant M-Trends 2020)

By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

File Access (File)

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

File Creation (File)

Initial construction of a new file (ex: Sysmon EID 11)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )