T1074: T1074

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1074
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Data Staged

Platforms

windows macos linux IaaS ESXi

Description

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

Mandiant M-Trends 2020
mitre-attack (T1074)
PWC Cloud Hopper April 2017

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (52)

Sapphire Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group, Kimsuky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Crimson Collective uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sea Turtle uses Teal KurmaCosmic Wolf

The MITRE Corporation Confidence 100

[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly uses BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Stargazer Goblin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAC-0173 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PhantomCaptcha uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC Ransom uses GOLD IONIC

The MITRE Corporation Confidence 100

[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032)…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 52

Wicked uses

Family
konlinesetupupdate_xa.exe uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sliver uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lorenz uses
OilRig uses
VBShower - S0442 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ImBetter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Dtrack uses
Snake Keylogger uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Tropidoor uses

Family
filecoauthx86.exe uses

Family
SolarMarker uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

25–36 of 80

Leveling Up with NightSpire Ransomware related

16 MITREs 1 Malware 2 Observables 1 APT
Supply Chain Attack: Malicious PyPI Packages related

12 MITREs 1 Observable 1 APT
CVE-2026-33017: How attackers compromised Langflow AI pipelines in … related

2 CVEs 9 MITREs 1 Observable
Punishing Owl Attacks Russia: A New Owl in … related

14 MITREs 1 Malware 7 Observables 1 APT
341 Malicious Clawed Skills Found by the Bot … related

12 MITREs 1 Malware 13 Observables 1 APT
Interlock Ransomware: New Techniques, Same Old Tricks related

1 CVE 10 MITREs 4 Malwares 8 Observables 1 APT
Weekly Threat Bulletin – January 28th, 2026 related

16 CVEs 20 MITREs 40 Malwares 37 Observables 1 APT
PurpleBravo’s Targeting of the IT Software Supply Chain related

20 MITREs 187 Observables 1 APT
Analyzing React2Shell Threat Actors related

10 CVEs 16 MITREs 2 Malwares 9 Observables
Inside DPRK Operations: New Infrastructure Uncovered Across Global … related

1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities … related

16 MITREs 4 Malwares 19 Observables 1 APT
Arkanix Stealer: Newly discovered short term profit malware related

25 MITREs 2 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (63)

CVE-2023-1389 KEV targets

8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector: Adjacent
Published: 01/05/2023
Modified: 21/12/2025

CVE-2025-61882 KEV targets

9.8 Critical

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. …

Attack vector: Network
Published: 06/10/2025
Modified: 21/12/2025

Modified

CVE-2025-49706 KEV targets

6.5 Medium

Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2025-29824 KEV targets

7.8 High

Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.

Attack vector: Local
Published: 08/04/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2025-61155 targets

5.5 Medium

The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process …

Attack vector: LOCAL
Published: 28/10/2025
Modified: 30/01/2026

Received

CVE-2025-53770 KEV targets

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

CVE-2017-9841 KEV targets

9.8 Critical

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …

Attack vector: NETWORK
Complexity: LOW
Published: 27/06/2017
Modified: 22/04/2026

CWE-94

CVE-2022-41128 KEV targets

8.8 High

Microsoft Windows contains an unspecified vulnerability in the JScript9 scripting language which allows for remote code execution.

Attack vector: Network
Published: 08/11/2022
Modified: 14/01/2026

CVE-2025-49704 KEV targets

8.8 High

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2026-0723 targets

7.4 High

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 …

Attack vector: NETWORK
Published: 22/01/2026
Modified: 28/01/2026

Received

CVE-2023-3730

targets

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

← Previous

Page / 6

25–36 of 63

Contact About Legal notice Privacy policy Terms of use

T1074: T1074

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (52)

Malware (80)

Reports (50)

Vulnerabilities (CVE) (63)