T1074.001SubTechniquecollectionagent-callable

T1074.001Local Data Staging

Sub-technique of T1074

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)

ATT&CK tactics· 1

Collection

References

  1. https://attack.mitre.org/techniques/T1074/001
  2. https://www.prevailion.com/darkwatchman-new-fileless-techniques/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.