title: Cisco Stage Data
id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
status: experimental
description: Various protocols maybe used to put data on the device for exfil or infil
references:
    - https://attack.mitre.org/techniques/T1074/
    - https://attack.mitre.org/techniques/T1105/
    - https://attack.mitre.org/techniques/T1498/
    - https://attack.mitre.org/techniques/T1002/
author: Austin Clark
date: 2019/08/12
tags:
    - attack.collection
    - attack.lateral_movement
    - attack.command_and_control
    - attack.exfiltration
    - attack.impact
    - attack.t1074
    - attack.t1105
    - attack.t1492
    - attack.t1002
    - attack.t1560
    - attack.t1565.001
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - CmdSet
detection:
    keywords:
        - 'tftp'
        - 'rcp'
        - 'puts'
        - 'copy'
        - 'configure replace'
        - 'archive tar'
    condition: keywords
falsepositives:
    - Generally used to copy configs or IOS images.
level: low