Local Data Staging
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell. Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.
Observed actors
G0119GALLIUM
G0093APT3
G0022Kimsuky
G0094Volt Typhoon
G1017Patchwork
G0040Dragonfly
G0035menuPass
G0045MuddyWater
G0069FIN6
G0037TeamTNT
G0139Machete
G0095Sidewinder
G0121Mustang Panda
G0129APT39
G0087Leviathan
G0065FIN5
G0053Chimera
G0114TEMP.Veles
G0088BackdoorDiplomacy
G0135Agrius
G1030APT28
G0007APT5
G1023Lazarus Group
G0032Wizard Spider
G0102Threat Group-3390
G0027FIN13
G1016
Correlated CTI and IR reports
Israel Threat Actors CTI · explicit report mentionAPT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mentionAttack Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mentionAPT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mentionAttack Playbook Operation DragonRx
1200km Medium · authored report mentionCorrelation Based Detection Rules in Cybersecurity From Atomic Events to Behavioral Insight
1200km Medium · authored report mentionOperation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention