EXPLORE

← Back to Explore

T1074.001

Local Data Staging

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. Adversaries may also stage collected data in vari...

ESXiLinuxmacOSWindows

10

Detections

3

Sources

27

Threat Actors

BY SOURCE

5elastic4sigma1splunk_escu

PROCEDURES (6)

Powershell3 detections

Auto-extracted: 3 detections for powershell

Powershell2 detections

Auto-extracted: 2 detections for powershell

Credential2 detections

Auto-extracted: 2 detections for credential

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

DETECTIONS (10)

Data Encrypted via OpenSSL Utility

Discovery Command Output Written to Suspicious File

Exchange Mailbox Export via PowerShell

Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Potential OpenSSH Backdoor Logging Activity

Sensitive File Access followed by Compression

Shai-Hulud 2 Exfiltration Artifact Files

Zip A Folder With PowerShell For Staging In Temp - PowerShell Module

Zip A Folder With PowerShell For Staging In Temp - PowerShell

Zip A Folder With PowerShell For Staging In Temp - PowerShell Script