-
Notifications
You must be signed in to change notification settings - Fork 6
/
attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c.json
35 lines (35 loc) · 2.3 KB
/
attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
{
"created": "2020-03-13T21:13:10.467Z",
"modified": "2020-05-26T19:23:54.854Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"type": "attack-pattern",
"id": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
"description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.",
"name": "Local Data Staging",
"created_by_ref": "The MITRE Corporation",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1074.001",
"url": "https://attack.mitre.org/techniques/T1074/001"
}
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_data_sources": [
"Process command-line parameters",
"Process monitoring",
"File monitoring"
],
"x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"x_mitre_is_subtechnique": true,
"x_mitre_version": "1.0"
}