T1074: T1074

Search IOCs, vulnerabilities, APT…

216.73.217.98

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1074
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Data Staged

Platforms

windows macos linux IaaS ESXi

Description

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

Mandiant M-Trends 2020
mitre-attack (T1074)
PWC Cloud Hopper April 2017

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (52)

Sapphire Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group, Kimsuky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Crimson Collective uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sea Turtle uses Teal KurmaCosmic Wolf

The MITRE Corporation Confidence 100

[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Stargazer Goblin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAC-0173 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PhantomCaptcha uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC Ransom uses GOLD IONIC

The MITRE Corporation Confidence 100

[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032)…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 52

Mirai uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cthulhu Stealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
AmateraStealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kevin uses
Mimilite uses
ThiefQuest - S0595 uses

Family
zOMiner uses
SectopRAT uses

Family
MgBot uses

Family
VIPKeyLogger uses

Family
Margulas uses
Proton - S0279 uses

Family

← Previous

Page / 7

1–12 of 80

Leveling Up with NightSpire Ransomware related

16 MITREs 1 Malware 2 Observables 1 APT
Supply Chain Attack: Malicious PyPI Packages related

12 MITREs 1 Observable 1 APT
CVE-2026-33017: How attackers compromised Langflow AI pipelines in … related

2 CVEs 9 MITREs 1 Observable
Punishing Owl Attacks Russia: A New Owl in … related

14 MITREs 1 Malware 7 Observables 1 APT
341 Malicious Clawed Skills Found by the Bot … related

12 MITREs 1 Malware 13 Observables 1 APT
Interlock Ransomware: New Techniques, Same Old Tricks related

1 CVE 10 MITREs 4 Malwares 8 Observables 1 APT
Weekly Threat Bulletin – January 28th, 2026 related

16 CVEs 20 MITREs 40 Malwares 37 Observables 1 APT
PurpleBravo’s Targeting of the IT Software Supply Chain related

20 MITREs 187 Observables 1 APT
Analyzing React2Shell Threat Actors related

10 CVEs 16 MITREs 2 Malwares 9 Observables
Inside DPRK Operations: New Infrastructure Uncovered Across Global … related

1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities … related

16 MITREs 4 Malwares 19 Observables 1 APT
Arkanix Stealer: Newly discovered short term profit malware related

25 MITREs 2 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (63)

CVE-2022-47945 targets

9.8 Critical

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated …

Attack vector: NETWORK
Published: 23/12/2022
Modified: 19/01/2026

CVE-2023-22018

targets

CVE-2023-38408

targets

CVE-2023-26119

targets

CVE-2023-3727

targets

CVE-2024-7344 targets

8.2 High

Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.

Attack vector: LOCAL
Published: 14/01/2025
Modified: 21/12/2025

Analyzed

CVE-2019-9082 KEV targets

ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-13928 targets

7.5 High

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 …

Attack vector: NETWORK
Published: 22/01/2026
Modified: 28/01/2026

Received

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2025-27920 KEV targets

7.2 High

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, …

Attack vector: Network
Published: 19/05/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2022-45788

targets

CVE-2025-31125 KEV targets

5.3 Medium

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing …

Attack vector: Network
Published: 31/03/2025
Modified: 28/01/2026

Awaiting Analysis

← Previous

Page / 6

49–60 of 63

Contact About Legal notice Privacy policy Terms of use

T1074: T1074

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (52)

Malware (80)

Reports (50)

Vulnerabilities (CVE) (63)