Esc
Data Staged - T1074
(ATT&CK® Technique)
Definition
Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1074["Data Staged"] --> |reads| Resource["Resource"]; class T1074 OffensiveTechniqueNode;
class Resource ArtifactNode; click Resource href "/dao/artifact/d3f:Resource";
click T1074 href "/offensive-technique/attack/T1074/"; click Resource href "/dao/artifact/d3f:Resource"; T1074["Data Staged"] --> |may-create| File["File"]; class T1074 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1074 href "/offensive-technique/attack/T1074/"; click File href "/dao/artifact/d3f:File"; T1074["Data Staged"] --> |may-invoke| CreateFile["Create File"]; class T1074 OffensiveTechniqueNode;
class CreateFile ArtifactNode; click CreateFile href "/dao/artifact/d3f:CreateFile";
click T1074 href "/offensive-technique/attack/T1074/"; click CreateFile href "/dao/artifact/d3f:CreateFile"; T1074["Data Staged"] --> |modifies| NetworkResource["Network Resource"]; class T1074 OffensiveTechniqueNode;
class NetworkResource ArtifactNode; click NetworkResource href "/dao/artifact/d3f:NetworkResource";
click T1074 href "/offensive-technique/attack/T1074/"; click NetworkResource href "/dao/artifact/d3f:NetworkResource"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1074["Data Staged"] ;
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; NetworkResourceAccessMediation["Network Resource Access Mediation"] -->
| isolates | NetworkResource["Network Resource"];
NetworkResourceAccessMediation["Network Resource Access Mediation"] -.->
| may-isolate | T1074["Data Staged"] ;
class NetworkResourceAccessMediation DefensiveTechniqueNode;
class NetworkResource ArtifactNode;
click NetworkResourceAccessMediation href "/technique/d3f:NetworkResourceAccessMediation"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateFile["Create File"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1074["Data Staged"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateFile ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1074["Data Staged"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; DecoyNetworkResource["Decoy Network Resource"] -->
| spoofs | NetworkResource["Network Resource"];
DecoyNetworkResource["Decoy Network Resource"] -.->
| may-deceive | T1074["Data Staged"] ;
class DecoyNetworkResource DefensiveTechniqueNode;
class NetworkResource ArtifactNode;
click DecoyNetworkResource href "/technique/d3f:DecoyNetworkResource"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1074["Data Staged"] ;
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1074["Data Staged"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateFile["Create File"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1074["Data Staged"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateFile ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; RestoreFile["Restore File"] -->
| restores | File["File"];
RestoreFile["Restore File"] -.->
| may-restore | T1074["Data Staged"] ;
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileEviction["File Eviction"] -->
| deletes | File["File"];
FileEviction["File Eviction"] -.->
| may-evict | T1074["Data Staged"] ;
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1074["Data Staged"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1074["Data Staged"] ;
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileCreationAnalysis["File Creation Analysis"] -->
| analyzes | CreateFile["Create File"];
FileCreationAnalysis["File Creation Analysis"] -.->
| may-detect | T1074["Data Staged"] ;
class FileCreationAnalysis DefensiveTechniqueNode;
class CreateFile ArtifactNode;
click FileCreationAnalysis href "/technique/d3f:FileCreationAnalysis";