Find sigma rule
Attack: Data Staged: Local Data Staging
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
MITRE
Tactic
- collection
technique
- T1074.001
Test : Zip a Folder with PowerShell for Staging in Temp
OS
- windows
Description:
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory.
Executor
powershell
Sigma Rule
-
proc_creation_win_powershell_zip_compress.yml (id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98)
-
posh_pm_susp_zip_compress.yml (id: daf7eb81-35fd-410d-9d7a-657837e602bb)
-
posh_ps_susp_zip_compress.yml (id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9)