T1074

Data Staged

Adversaries may stage collected data in a central location or directory prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries choose staging to minimize the number of connections made to their C2 server and better evade detection. Staging locations are commonly temp directories, user profile folders, or hidden directories. In cloud environments, adversaries may stage data within a particular instance before exfiltration.

Microsoft Sentinel / Defender

kusto

let StagingPaths = dynamic([
  "\\Temp\\", "\\tmp\\", "\\AppData\\Local\\Temp\\",
  "\\AppData\\Roaming\\", "\\ProgramData\\",
  "\\Users\\Public\\", "\\Windows\\Temp\\"
]);
let StagingExtensions = dynamic([".zip", ".7z", ".rar", ".tar", ".gz", ".cab", ".iso"]);
let BulkCopyProcesses = dynamic(["robocopy.exe", "xcopy.exe", "copy", "cp", "rsync"]);
// Branch 1: Bulk file creation events in staging paths
let BulkFileStaging =
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (StagingPaths)
| summarize FileCount=count(), Extensions=make_set(tolower(tostring(split(FileName, ".")[-1]))), FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
    by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath
| where FileCount >= 10
| extend StagingType="BulkFileStaging"
| project Timestamp=LastSeen, DeviceName, AccountName=InitiatingProcessAccountName,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    FolderPath, FileCount, Extensions, StagingType;
// Branch 2: Archive files created in staging paths
let ArchiveStaging =
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (StagingPaths)
| where FileName has_any (StagingExtensions)
| extend StagingType="ArchiveCreated"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    FolderPath, FileName, StagingType;
// Branch 3: Bulk copy commands executed
let BulkCopyStaging =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("robocopy.exe", "xcopy.exe", "cmd.exe", "powershell.exe")
| where ProcessCommandLine has_any ("robocopy", "xcopy", "copy /", "Copy-Item", "cp -r")
    and ProcessCommandLine has_any (StagingPaths)
| extend StagingType="BulkCopyCommand"
| project Timestamp, DeviceName, AccountName, FileName,
    ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
    StagingType;
union BulkFileStaging, ArchiveStaging, BulkCopyStaging
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Software installation processes that extract files to temp directories during setup (installers, MSI packages)
Backup agents (Veeam, Backup Exec, Windows Backup) that stage files before writing to backup media
Software deployment tools (SCCM, Intune) copying update packages to staging directories
Log aggregation tools that collect and consolidate logs into a single directory for shipping
Developers using robocopy/xcopy in legitimate build scripts or deployment pipelines

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=11
    (TargetFilename="*\\Temp\\*" OR TargetFilename="*\\tmp\\*" OR TargetFilename="*\\AppData\\Local\\Temp\\*"
     OR TargetFilename="*\\Users\\Public\\*" OR TargetFilename="*\\ProgramData\\*" OR TargetFilename="*\\Windows\\Temp\\*")
  )
  OR
  (EventCode=1
    (CommandLine="*robocopy*" OR CommandLine="*xcopy*" OR CommandLine="*copy /*" OR CommandLine="*Copy-Item*")
    (CommandLine="*\\Temp\\*" OR CommandLine="*\\tmp\\*" OR CommandLine="*\\Public\\*" OR CommandLine="*\\ProgramData\\*")
  )
)
| eval StagingType=case(
    EventCode=11 AND match(TargetFilename, "(?i)\.(zip|7z|rar|tar|gz|cab|iso)$"), "ArchiveCreated",
    EventCode=11, "FileCreatedInStagingPath",
    EventCode=1 AND match(CommandLine, "(?i)(robocopy|xcopy)"), "BulkCopyCommand",
    EventCode=1, "ScriptedCopy",
    true(), "Unknown"
  )
| eval StagingPath=coalesce(TargetFilename, CommandLine)
| eval Actor=coalesce(User, user)
| stats count as EventCount,
    values(StagingType) as StagingTypes,
    values(StagingPath) as StagingPaths,
    dc(TargetFilename) as UniqueFiles,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by host, Actor, Image, CommandLine
| where EventCount >= 5 OR (StagingTypes="ArchiveCreated")
| eval DurationSecs=LastSeen-FirstSeen
| eval IsRapidStaging=if(DurationSecs < 300 AND EventCount >= 10, 1, 0)
| sort - EventCount
| table _time, host, Actor, Image, CommandLine, StagingTypes, EventCount, UniqueFiles, DurationSecs, IsRapidStaging, FirstSeen, LastSeen

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software installation processes that extract files to temp directories during setup (installers, MSI packages)
Backup agents (Veeam, Backup Exec, Windows Backup) that stage files before writing to backup media
Software deployment tools (SCCM, Intune) copying update packages to staging directories
Log aggregation tools that collect and consolidate logs into a single directory for shipping
Developers using robocopy/xcopy in legitimate build scripts or deployment pipelines

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  sourceip AS HostIP,
  QIDNAME(qid) AS EventName,
  username AS Actor,
  "TargetFilename" AS StagingPath,
  "Image" AS InitiatingProcess,
  "CommandLine" AS ProcessCommandLine,
  CASE
    WHEN LOWER("TargetFilename") MATCHES '.*\.(zip|7z|rar|tar|gz|cab|iso)$' THEN 'ArchiveCreated'
    WHEN "CommandLine" IMATCHES '.*(robocopy|xcopy).*' THEN 'BulkCopyCommand'
    WHEN "EventID" = '11' THEN 'FileCreatedInStagingPath'
    ELSE 'StagedActivity'
  END AS StagingType,
  COUNT(*) AS EventCount
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 101, 143)
  AND devicetime > NOW() - 86400000
  AND (
    (
      "EventID" = '11'
      AND (
        "TargetFilename" IMATCHES '.*\\(Temp|tmp|AppData\\Local\\Temp|AppData\\Roaming|ProgramData|Users\\Public|Windows\\Temp)\\.*'
      )
    )
    OR (
      "EventID" = '1'
      AND (
        "CommandLine" IMATCHES '.*(robocopy|xcopy|copy /|Copy-Item|cp -r).*'
        AND "CommandLine" IMATCHES '.*\\(Temp|tmp|Public|ProgramData)\\.*'
      )
    )
  )
GROUP BY
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm'),
  logsourceid,
  sourceip,
  username,
  "TargetFilename",
  "Image",
  "CommandLine",
  "EventID"
HAVING EventCount >= 5
ORDER BY EventCount DESC

medium severity medium confidence

Data Sources

IBM QRadar SIEM with Windows Sysmon DSM QRadar Windows Security Event Log DSM Microsoft Windows Sysmon log source

Required Tables

events

False Positives

Automated patch management tools (SCCM, Intune, WSUS) staging installation packages in ProgramData or Windows\Temp prior to deployment across endpoints
Antivirus or EDR solutions quarantining or scanning files by copying them to temporary staging directories during threat investigation
Legitimate archive creation by compression tools (7-Zip, WinRAR) used for routine file transfer or backup purposes, particularly by IT staff or file server processes

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where EventID in ("1", "11")
| parse field=Message "TargetFilename: *\n" as TargetFilename nodrop
| parse field=Message "CommandLine: *\n" as CommandLine nodrop
| parse field=Message "Image: *\n" as Image nodrop
| parse field=Message "User: *\n" as Actor nodrop
| parse field=Message "Computer: *\n" as ComputerName nodrop
| where (
    (EventID == "11" and (
      TargetFilename matches "*\\Temp\\*" or
      TargetFilename matches "*\\tmp\\*" or
      TargetFilename matches "*\\AppData\\Local\\Temp\\*" or
      TargetFilename matches "*\\AppData\\Roaming\\*" or
      TargetFilename matches "*\\ProgramData\\*" or
      TargetFilename matches "*\\Users\\Public\\*" or
      TargetFilename matches "*\\Windows\\Temp\\*"
    ))
    or
    (EventID == "1" and (
      (CommandLine matches "*robocopy*" or CommandLine matches "*xcopy*" or
       CommandLine matches "*copy /*" or CommandLine matches "*Copy-Item*") and
      (CommandLine matches "*\\Temp\\*" or CommandLine matches "*\\tmp\\*" or
       CommandLine matches "*\\Public\\*" or CommandLine matches "*\\ProgramData\\*")
    ))
  )
| eval StagingType = if(EventID == "11" and
    (TargetFilename matches "*.zip" or TargetFilename matches "*.7z" or
     TargetFilename matches "*.rar" or TargetFilename matches "*.tar" or
     TargetFilename matches "*.gz" or TargetFilename matches "*.cab" or
     TargetFilename matches "*.iso"),
    "ArchiveCreated",
    if(EventID == "11", "FileCreatedInStagingPath",
    if(CommandLine matches "*robocopy*" or CommandLine matches "*xcopy*",
       "BulkCopyCommand", "ScriptedCopy")))
| eval StagingPath = if(EventID == "11", TargetFilename, CommandLine)
| timeslice 1h
| stats count as EventCount,
        values(StagingType) as StagingTypes,
        values(StagingPath) as StagingPaths,
        dcount(TargetFilename) as UniqueFiles,
        min(_messagetime) as FirstSeen,
        max(_messagetime) as LastSeen
        by _timeslice, ComputerName, Actor, Image, CommandLine
| where EventCount >= 5 or StagingTypes contains "ArchiveCreated"
| eval DurationSecs = (LastSeen - FirstSeen) / 1000
| eval IsRapidStaging = if(DurationSecs < 300 and EventCount >= 10, 1, 0)
| sort by EventCount desc
| fields _timeslice, ComputerName, Actor, Image, CommandLine, StagingTypes, EventCount, UniqueFiles, DurationSecs, IsRapidStaging

medium severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Sysmon source Sumo Logic Cloud-to-Cloud Microsoft Windows Event Log source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Software deployment automation platforms (Ansible, Chef, Puppet) staging configuration or installation files in ProgramData or Temp directories during managed system configuration
Database backup utilities creating compressed archive files (.zip, .tar.gz) in ProgramData or Temp directories as part of scheduled backup routines
IT helpdesk or remote support tools (TeamViewer, ConnectWise, AnyDesk) that stage diagnostic files, logs, or remote session artifacts in AppData or Temp directories

Google Chronicle / SecOps

yaral

rule t1074_data_staged_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1074 data staging: bulk file creation or archive creation in common staging paths, and bulk copy commands targeting staging locations"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1074"
    mitre_attack_sub_technique = ""
    severity = "MEDIUM"
    priority = "MEDIUM"
    version = "1.0"

  events:
    (
      // Branch 1: Archive file creation in staging directories
      $e1.metadata.event_type = "FILE_CREATION"
      $e1.principal.hostname = $hostname
      $e1.principal.user.userid = $userid
      (
        re.regex($e1.target.file.full_path, `(?i)\\(Temp|tmp|AppData\\Local\\Temp|AppData\\Roaming|ProgramData|Users\\Public|Windows\\Temp)\\`)
      )
      (
        re.regex($e1.target.file.full_path, `(?i)\.(zip|7z|rar|tar|gz|cab|iso)$`)
      )
    )
    OR
    (
      // Branch 2: Bulk copy process targeting staging paths
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      $e1.principal.hostname = $hostname
      $e1.principal.user.userid = $userid
      (
        re.regex($e1.target.process.command_line, `(?i)(robocopy|xcopy|copy\s+/|Copy-Item|cp\s+-r)`)
      )
      (
        re.regex($e1.target.process.command_line, `(?i)\\(Temp|tmp|Public|ProgramData)\\`)
      )
    )

  match:
    $hostname, $userid over 10m

  outcome:
    $risk_score = max(
      if($e1.metadata.event_type = "FILE_CREATION", 50, 70)
    )
    $staging_path = array_distinct($e1.target.file.full_path)
    $process_name = array_distinct($e1.target.process.file.full_path)
    $command_line = array_distinct($e1.target.process.command_line)
    $event_count = count_distinct($e1.metadata.id)

  condition:
    $e1
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM with Windows Sysmon UDM ingestion Chronicle Unified Data Model (UDM) with endpoint telemetry Chronicle Google Workspace activity (for cloud staging variant)

Required Tables

UDM events (FILE_CREATION, PROCESS_LAUNCH)

False Positives

Enterprise software packaging workflows where administrators use robocopy or xcopy to distribute application packages to staging directories on endpoints before installation
Endpoint security or DLP agents that create archive snapshots of monitored directories in Temp or AppData for forensic preservation or policy enforcement
Cloud sync clients (OneDrive, Google Drive, Dropbox) staging large file sets in AppData\Roaming or AppData\Local\Temp before uploading to cloud storage

CrowdStrike LogScale (CQL)

cql

// Branch 1: Archive file creation in staging paths (Sysmon-equivalent via Falcon)
#event_simpleName=MotionCaptureFile OR #event_simpleName=NewExecutableWritten
| TargetFileName = /(?i)\\(Temp|tmp|AppData\\Local\\Temp|AppData\\Roaming|ProgramData|Users\\Public|Windows\\Temp)\\/
| TargetFileName = /(?i)\.(zip|7z|rar|tar\.gz|tar|gz|cab|iso)$/
| rename(field=UserName, as=Actor)
| rename(field=ComputerName, as=Hostname)
| groupBy([Hostname, Actor, ParentBaseFileName, CommandLine], function=[
    count(as=EventCount),
    collect(TargetFileName, as=StagingPaths, limit=20),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| EventCount := EventCount
| StagingType := "ArchiveCreated"
| sort(EventCount, order=desc)

// Branch 2: Bulk copy processes targeting staging directories
OR
#event_simpleName=ProcessRollup2
| FileName in ["robocopy.exe", "xcopy.exe", "cmd.exe", "powershell.exe"]
| CommandLine = /(?i)(robocopy|xcopy|copy\s+\/|Copy-Item|cp\s+-r)/
| CommandLine = /(?i)\\(Temp|tmp|Public|ProgramData)\\/
| rename(field=UserName, as=Actor)
| rename(field=ComputerName, as=Hostname)
| groupBy([Hostname, Actor, FileName, CommandLine], function=[
    count(as=EventCount),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| StagingType := "BulkCopyCommand"
| sort(EventCount, order=desc)

// Branch 3: High-volume file writes to staging paths within short window
| union
(
  #event_simpleName=MotionCaptureFile
  | TargetFileName = /(?i)\\(Temp|tmp|AppData\\Local\\Temp|AppData\\Roaming|ProgramData|Users\\Public|Windows\\Temp)\\/
  | rename(field=UserName, as=Actor)
  | rename(field=ComputerName, as=Hostname)
  | groupBy([Hostname, Actor, ParentBaseFileName, CommandLine], function=[
      count(as=EventCount),
      collect(TargetFileName, as=StagingPaths, limit=50),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen)
    ])
  | EventCount > 10
  | DurationSecs := (LastSeen - FirstSeen) / 1000
  | IsRapidStaging := if(DurationSecs < 300 AND EventCount >= 10, true(), false())
  | StagingType := "BulkFileStaging"
  | sort(EventCount, order=desc)
)

medium severity medium confidence

Data Sources

CrowdStrike Falcon EDR with Enhanced Visibility telemetry Falcon sensor Process Rollup (ProcessRollup2) events Falcon MotionCaptureFile / NewExecutableWritten file events

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=MotionCaptureFile #event_simpleName=NewExecutableWritten

False Positives

CrowdStrike Real Time Response (RTR) sessions where incident responders or IT admins use built-in copy commands to collect forensic artifacts or deploy remediation scripts to staging paths
Software update mechanisms (e.g., Adobe Acrobat, Google Chrome, Microsoft 365) that stage update packages as archives in %TEMP% or %ProgramData% directories before applying updates
Data loss prevention (DLP) and CASB agents that scan or archive files in staging directories as part of content inspection workflows, generating high volumes of file events in short periods

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1074 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data Staged

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Collection

Popular Detections