Find sigma rule

Attack: Data Staged: Local Data Staging

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)

MITRE

Tactic

collection

technique

T1074.001

Test : Stage data from Discovery.bat

OS

windows

Description:

Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, verify that the file is saved in the temp directory.

Executor

powershell

Sigma Rule

posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
file_event_win_hktl_powerup_dllhijacking.yml (id: 602a1f13-c640-4d73-b053-be9a2fa58b96)
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test