Technique on mitre.org

T1074.001: Local Data Staging

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mssql_database: PT-CR-408: MSSQL_Create_File_In_System: An attempt to create a file on a hard disk using a database mitre_attck_collection: PT-CR-661: Data_Compression: A user archived data using a utility or PowerShell cmdlet clickhouse: PT-CR-1568: ClickHouse_Outfile_Query: An attempt to upload data from a table to a file is detected

Detection

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.

ID	DS0022	Data source and component	File: File Access	Description	Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.

ID	Data source and component	Description
DS0024	Windows Registry: Windows Registry Key Modification	Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
DS0017	Command: Command Execution	Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.
DS0022	File: File Creation	Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.
DS0022	File: File Access	Monitor processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib.