Esc
Local Data Staging - T1074.001

(ATT&CK® Technique)
Definition

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1074001["Local Data Staging"] --> |may-create| File["File"]; class T1074001 OffensiveTechniqueNode;
        class File ArtifactNode; click File href "/dao/artifact/d3f:File";
        click T1074001 href "/offensive-technique/attack/T1074.001/"; click File href "/dao/artifact/d3f:File"; T1074001["Local Data Staging"] --> |may-invoke| CreateFile["Create File"]; class T1074001 OffensiveTechniqueNode;
        class CreateFile ArtifactNode; click CreateFile href "/dao/artifact/d3f:CreateFile";
        click T1074001 href "/offensive-technique/attack/T1074.001/"; click CreateFile href "/dao/artifact/d3f:CreateFile";               T1074001["Local Data Staging"] --> |reads| Resource["Resource"]; class T1074001 OffensiveTechniqueNode;
        class Resource ArtifactNode; click Resource href "/dao/artifact/d3f:Resource";
        click T1074001 href "/offensive-technique/attack/T1074.001/"; click Resource href "/dao/artifact/d3f:Resource";            RestoreFile["Restore File"] -->
          | restores | File["File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1074001["Local Data Staging"] ;
          class RestoreFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; FileCreationAnalysis["File Creation Analysis"] -->
          | analyzes | CreateFile["Create File"];

          FileCreationAnalysis["File Creation Analysis"] -.->
            | may-detect | T1074001["Local Data Staging"] ;
          class FileCreationAnalysis DefensiveTechniqueNode;
          class CreateFile ArtifactNode;
          click FileCreationAnalysis href "/technique/d3f:FileCreationAnalysis";                           SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateFile["Create File"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1074001["Local Data Staging"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateFile ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | File["File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1074001["Local Data Staging"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                           FileEviction["File Eviction"] -->
          | deletes | File["File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1074001["Local Data Staging"] ;
          class FileEviction DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | File["File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1074001["Local Data Staging"] ;
          class FileEncryption DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                           LocalFilePermissions["Local File Permissions"] -->
          | restricts | File["File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1074001["Local Data Staging"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class File ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";              SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateFile["Create File"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1074001["Local Data Staging"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateFile ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";          DecoyFile["Decoy File"] -->
          | spoofs | File["File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1074001["Local Data Staging"] ;
          class DecoyFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                  FileAnalysis["File Analysis"] -->
          | analyzes | File["File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1074001["Local Data Staging"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";              RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | File["File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1074001["Local Data Staging"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class File ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json