T1074: T1074

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1074
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Data Staged

Platforms

windows macos linux IaaS ESXi

Description

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

Mandiant M-Trends 2020
mitre-attack (T1074)
PWC Cloud Hopper April 2017

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (52)

Sapphire Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group, Kimsuky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Crimson Collective uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sea Turtle uses Teal KurmaCosmic Wolf

The MITRE Corporation Confidence 100

[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Stargazer Goblin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAC-0173 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PhantomCaptcha uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC Ransom uses GOLD IONIC

The MITRE Corporation Confidence 100

[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032)…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 52

Okiru uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CCminer uses
NightSpire uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TrollAgent uses

Family
Cobalt Strike uses

Family
VBCloud uses

Family
SHub Stealer uses

Family
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Blue Locker uses

Family
CacheStore.exe uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
tericerit.exe uses

Family
Chrome password stealer uses

Family

← Previous

Page / 7

13–24 of 80

Leveling Up with NightSpire Ransomware related

16 MITREs 1 Malware 2 Observables 1 APT
Supply Chain Attack: Malicious PyPI Packages related

12 MITREs 1 Observable 1 APT
CVE-2026-33017: How attackers compromised Langflow AI pipelines in … related

2 CVEs 9 MITREs 1 Observable
Punishing Owl Attacks Russia: A New Owl in … related

14 MITREs 1 Malware 7 Observables 1 APT
341 Malicious Clawed Skills Found by the Bot … related

12 MITREs 1 Malware 13 Observables 1 APT
Interlock Ransomware: New Techniques, Same Old Tricks related

1 CVE 10 MITREs 4 Malwares 8 Observables 1 APT
Weekly Threat Bulletin – January 28th, 2026 related

16 CVEs 20 MITREs 40 Malwares 37 Observables 1 APT
PurpleBravo’s Targeting of the IT Software Supply Chain related

20 MITREs 187 Observables 1 APT
Analyzing React2Shell Threat Actors related

10 CVEs 16 MITREs 2 Malwares 9 Observables
Inside DPRK Operations: New Infrastructure Uncovered Across Global … related

1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities … related

16 MITREs 4 Malwares 19 Observables 1 APT
Arkanix Stealer: Newly discovered short term profit malware related

25 MITREs 2 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (63)

CVE-2023-38606 KEV targets

5.5 Medium

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability allowing an app to modify a sensitive kernel state.

Attack vector: Local
Published: 26/07/2023
Modified: 21/12/2025

CVE-2025-5777 KEV targets

9.3 Critical

Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread …

Attack vector: Network
Published: 10/07/2025
Modified: 21/12/2025

Received

CVE-2022-24847 targets

7.2 High

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security …

Attack vector: NETWORK
Published: 14/04/2022
Modified: 21/12/2025

CVE-2023-3728

targets

CVE-2026-33017 KEV targets

9.3 Critical

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows …

Attack vector: Network
Complexity: Low
Published: 20/03/2026
Modified: 23/05/2026

CWE-94 Awaiting Analysis

CVE-2023-36884 KEV targets

7.5 High

Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a …

Attack vector: Network
Published: 17/07/2023
Modified: 27/05/2026

CVE-2023-38831 KEV targets

7.8 High

RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file …

Attack vector: Local
Published: 24/08/2023
Modified: 27/05/2026

CVE-2025-53771 targets

6.5 Medium

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …

Attack vector: NETWORK
Published: 21/07/2025
Modified: 21/12/2025

Received

CVE-2023-3466 targets

8.3 High

Reflected Cross-Site Scripting (XSS)

Attack vector: NETWORK
Published: 19/07/2023
Modified: 21/12/2025

CVE-2023-22518 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …

Attack vector: Network
Published: 07/11/2023
Modified: 21/12/2025

CVE-2023-35078

targets

CVE-2023-20862

targets

← Previous

Page / 6

37–48 of 63

Contact About Legal notice Privacy policy Terms of use

T1074: T1074

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (52)

Malware (80)

Reports (50)

Vulnerabilities (CVE) (63)