Which SIEM platforms have a T1074 detection rule?

df00tech provides T1074 (Data Staged) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1074 detection?

The T1074 detection is rated high severity with medium confidence.

What are common false positives for T1074?

Common false positives for T1074 include: Software installation processes that extract files to temp directories during setup (installers, MSI packages); Backup agents (Veeam, Backup Exec, Windows Backup) that stage files before writing to backup media; Software deployment tools (SCCM, Intune) copying update packages to staging directories.

T1074

Data Staged

Q: What data sources are required to detect Data Staged (T1074)?

Detecting Data Staged requires the following data sources: File: File Creation, File: File Modification, Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

Collection Last updated: April 18, 2026

Adversaries may stage collected data in a central location or directory prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries choose staging to minimize the number of connections made to their C2 server and better evade detection. Staging locations are commonly temp directories, user profile folders, or hidden directories. In cloud environments, adversaries may stage data within a particular instance before exfiltration.

What is T1074 Data Staged?

Data Staged (T1074) maps to the Collection tactic — the adversary is trying to gather data of interest to their goal in MITRE ATT&CK.

This page provides production-ready detection logic for Data Staged, covering the data sources and telemetry it touches: File: File Creation, File: File Modification, Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Collection
Technique: T1074 Data Staged
Canonical reference: https://attack.mitre.org/techniques/T1074/

Microsoft Sentinel / Defender

kusto

let StagingPaths = dynamic([
  "\\Temp\\", "\\tmp\\", "\\AppData\\Local\\Temp\\",
  "\\AppData\\Roaming\\", "\\ProgramData\\",
  "\\Users\\Public\\", "\\Windows\\Temp\\"
]);
let StagingExtensions = dynamic([".zip", ".7z", ".rar", ".tar", ".gz", ".cab", ".iso"]);
let BulkCopyProcesses = dynamic(["robocopy.exe", "xcopy.exe", "copy", "cp", "rsync"]);
// Branch 1: Bulk file creation events in staging paths
let BulkFileStaging =
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (StagingPaths)
| summarize FileCount=count(), Extensions=make_set(tolower(tostring(split(FileName, ".")[-1]))), FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
    by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath
| where FileCount >= 10
| extend StagingType="BulkFileStaging"
| project Timestamp=LastSeen, DeviceName, AccountName=InitiatingProcessAccountName,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    FolderPath, FileCount, Extensions, StagingType;
// Branch 2: Archive files created in staging paths
let ArchiveStaging =
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (StagingPaths)
| where FileName has_any (StagingExtensions)
| extend StagingType="ArchiveCreated"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    FolderPath, FileName, StagingType;
// Branch 3: Bulk copy commands executed
let BulkCopyStaging =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("robocopy.exe", "xcopy.exe", "cmd.exe", "powershell.exe")
| where ProcessCommandLine has_any ("robocopy", "xcopy", "copy /", "Copy-Item", "cp -r")
    and ProcessCommandLine has_any (StagingPaths)
| extend StagingType="BulkCopyCommand"
| project Timestamp, DeviceName, AccountName, FileName,
    ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
    StagingType;
union BulkFileStaging, ArchiveStaging, BulkCopyStaging
| sort by Timestamp desc

Detects data staging behaviors using Microsoft Defender for Endpoint tables. Three detection branches: (1) bulk file creation events in common staging paths where 10+ files are written by the same process, indicating automated data aggregation; (2) archive files created in staging directories, suggesting compression before exfiltration; (3) bulk copy commands (robocopy, xcopy, Copy-Item) targeting staging directories. Uses DeviceFileEvents for file-level telemetry and DeviceProcessEvents for command-line analysis.

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Software installation processes that extract files to temp directories during setup (installers, MSI packages)
Backup agents (Veeam, Backup Exec, Windows Backup) that stage files before writing to backup media
Software deployment tools (SCCM, Intune) copying update packages to staging directories
Log aggregation tools that collect and consolidate logs into a single directory for shipping
Developers using robocopy/xcopy in legitimate build scripts or deployment pipelines

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=11
    (TargetFilename="*\\Temp\\*" OR TargetFilename="*\\tmp\\*" OR TargetFilename="*\\AppData\\Local\\Temp\\*"
     OR TargetFilename="*\\Users\\Public\\*" OR TargetFilename="*\\ProgramData\\*" OR TargetFilename="*\\Windows\\Temp\\*")
  )
  OR
  (EventCode=1
    (CommandLine="*robocopy*" OR CommandLine="*xcopy*" OR CommandLine="*copy /*" OR CommandLine="*Copy-Item*")
    (CommandLine="*\\Temp\\*" OR CommandLine="*\\tmp\\*" OR CommandLine="*\\Public\\*" OR CommandLine="*\\ProgramData\\*")
  )
)
| eval StagingType=case(
    EventCode=11 AND match(TargetFilename, "(?i)\.(zip|7z|rar|tar|gz|cab|iso)$"), "ArchiveCreated",
    EventCode=11, "FileCreatedInStagingPath",
    EventCode=1 AND match(CommandLine, "(?i)(robocopy|xcopy)"), "BulkCopyCommand",
    EventCode=1, "ScriptedCopy",
    true(), "Unknown"
  )
| eval StagingPath=coalesce(TargetFilename, CommandLine)
| eval Actor=coalesce(User, user)
| stats count as EventCount,
    values(StagingType) as StagingTypes,
    values(StagingPath) as StagingPaths,
    dc(TargetFilename) as UniqueFiles,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by host, Actor, Image, CommandLine
| where EventCount >= 5 OR (StagingTypes="ArchiveCreated")
| eval DurationSecs=LastSeen-FirstSeen
| eval IsRapidStaging=if(DurationSecs < 300 AND EventCount >= 10, 1, 0)
| sort - EventCount
| table _time, host, Actor, Image, CommandLine, StagingTypes, EventCount, UniqueFiles, DurationSecs, IsRapidStaging, FirstSeen, LastSeen

Detects data staging activity using Sysmon Event ID 11 (File Create) for bulk file writes to staging paths and Event ID 1 (Process Create) for bulk copy commands. Aggregates events per host/actor/process combination to identify patterns: 5+ files written to staging directories by the same process, archive files created in temp locations, and bulk copy utilities targeting staging paths. The IsRapidStaging flag highlights 10+ files written within 5 minutes, a strong indicator of automated data collection.

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software installation processes that extract files to temp directories during setup (installers, MSI packages)
Backup agents (Veeam, Backup Exec, Windows Backup) that stage files before writing to backup media
Software deployment tools (SCCM, Intune) copying update packages to staging directories
Log aggregation tools that collect and consolidate logs into a single directory for shipping
Developers using robocopy/xcopy in legitimate build scripts or deployment pipelines

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=10m
  [file where event.action in ("creation", "overwrite") and
   file.path : ("*\\Temp\\*", "*\\tmp\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*") and
   not process.name in ("MsMpEng.exe", "SenseIR.exe", "WindowsDefender.exe", "svchost.exe")
  ] with runs=10

OR

any where
  (event.category == "file" and event.action in ("creation", "overwrite") and
   file.path : ("*\\Temp\\*", "*\\tmp\\*", "*\\AppData\\Local\\Temp\\*", "*\\Users\\Public\\*", "*\\ProgramData\\*", "*\\Windows\\Temp\\*") and
   file.extension in ("zip", "7z", "rar", "tar", "gz", "cab", "iso"))
  OR
  (event.category == "process" and event.type == "start" and
   process.name in ("robocopy.exe", "xcopy.exe", "cmd.exe", "powershell.exe") and
   process.args : ("*robocopy*", "*xcopy*", "*copy /*", "*Copy-Item*") and
   process.command_line : ("*\\Temp\\*", "*\\tmp\\*", "*\\Public\\*", "*\\ProgramData\\*"))

Detects data staging behavior consistent with T1074 by identifying bulk file creation in common staging directories, archive file creation in staging paths, and bulk copy commands targeting staging locations. Uses ECS fields from Elastic endpoint and Sysmon integrations.

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent with Sysmon integration Windows Event Logs via Filebeat

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* logs-system.security-*

False Positives

Software installation or update processes that stage files in Temp directories (e.g., Windows Update, MSI installers, package managers like Chocolatey)
Backup software (e.g., Veeam, Acronis, Windows Backup) creating archive files in ProgramData or Temp directories as part of legitimate backup jobs
Developer tooling such as build systems (MSBuild, CMake), CI/CD agents (Jenkins, GitLab Runner), or Docker image layers staging files during compilation or container builds

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  sourceip AS HostIP,
  QIDNAME(qid) AS EventName,
  username AS Actor,
  "TargetFilename" AS StagingPath,
  "Image" AS InitiatingProcess,
  "CommandLine" AS ProcessCommandLine,
  CASE
    WHEN LOWER("TargetFilename") MATCHES '.*\.(zip|7z|rar|tar|gz|cab|iso)$' THEN 'ArchiveCreated'
    WHEN "CommandLine" IMATCHES '.*(robocopy|xcopy).*' THEN 'BulkCopyCommand'
    WHEN "EventID" = '11' THEN 'FileCreatedInStagingPath'
    ELSE 'StagedActivity'
  END AS StagingType,
  COUNT(*) AS EventCount
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 101, 143)
  AND devicetime > NOW() - 86400000
  AND (
    (
      "EventID" = '11'
      AND (
        "TargetFilename" IMATCHES '.*\\(Temp|tmp|AppData\\Local\\Temp|AppData\\Roaming|ProgramData|Users\\Public|Windows\\Temp)\\.*'
      )
    )
    OR (
      "EventID" = '1'
      AND (
        "CommandLine" IMATCHES '.*(robocopy|xcopy|copy /|Copy-Item|cp -r).*'
        AND "CommandLine" IMATCHES '.*\\(Temp|tmp|Public|ProgramData)\\.*'
      )
    )
  )
GROUP BY
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm'),
  logsourceid,
  sourceip,
  username,
  "TargetFilename",
  "Image",
  "CommandLine",
  "EventID"
HAVING EventCount >= 5
ORDER BY EventCount DESC

QRadar AQL query detecting T1074 data staging by correlating Sysmon EventID 11 (file creation) in known staging directories and Sysmon EventID 1 (process create) for bulk copy utilities. Groups by host and actor to surface bulk staging activity exceeding threshold.

medium severity medium confidence

Data Sources

IBM QRadar SIEM with Windows Sysmon DSM QRadar Windows Security Event Log DSM Microsoft Windows Sysmon log source

Required Tables

events

False Positives

Automated patch management tools (SCCM, Intune, WSUS) staging installation packages in ProgramData or Windows\Temp prior to deployment across endpoints
Antivirus or EDR solutions quarantining or scanning files by copying them to temporary staging directories during threat investigation
Legitimate archive creation by compression tools (7-Zip, WinRAR) used for routine file transfer or backup purposes, particularly by IT staff or file server processes

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where EventID in ("1", "11")
| parse field=Message "TargetFilename: *\n" as TargetFilename nodrop
| parse field=Message "CommandLine: *\n" as CommandLine nodrop
| parse field=Message "Image: *\n" as Image nodrop
| parse field=Message "User: *\n" as Actor nodrop
| parse field=Message "Computer: *\n" as ComputerName nodrop
| where (
    (EventID == "11" and (
      TargetFilename matches "*\\Temp\\*" or
      TargetFilename matches "*\\tmp\\*" or
      TargetFilename matches "*\\AppData\\Local\\Temp\\*" or
      TargetFilename matches "*\\AppData\\Roaming\\*" or
      TargetFilename matches "*\\ProgramData\\*" or
      TargetFilename matches "*\\Users\\Public\\*" or
      TargetFilename matches "*\\Windows\\Temp\\*"
    ))
    or
    (EventID == "1" and (
      (CommandLine matches "*robocopy*" or CommandLine matches "*xcopy*" or
       CommandLine matches "*copy /*" or CommandLine matches "*Copy-Item*") and
      (CommandLine matches "*\\Temp\\*" or CommandLine matches "*\\tmp\\*" or
       CommandLine matches "*\\Public\\*" or CommandLine matches "*\\ProgramData\\*")
    ))
  )
| eval StagingType = if(EventID == "11" and
    (TargetFilename matches "*.zip" or TargetFilename matches "*.7z" or
     TargetFilename matches "*.rar" or TargetFilename matches "*.tar" or
     TargetFilename matches "*.gz" or TargetFilename matches "*.cab" or
     TargetFilename matches "*.iso"),
    "ArchiveCreated",
    if(EventID == "11", "FileCreatedInStagingPath",
    if(CommandLine matches "*robocopy*" or CommandLine matches "*xcopy*",
       "BulkCopyCommand", "ScriptedCopy")))
| eval StagingPath = if(EventID == "11", TargetFilename, CommandLine)
| timeslice 1h
| stats count as EventCount,
        values(StagingType) as StagingTypes,
        values(StagingPath) as StagingPaths,
        dcount(TargetFilename) as UniqueFiles,
        min(_messagetime) as FirstSeen,
        max(_messagetime) as LastSeen
        by _timeslice, ComputerName, Actor, Image, CommandLine
| where EventCount >= 5 or StagingTypes contains "ArchiveCreated"
| eval DurationSecs = (LastSeen - FirstSeen) / 1000
| eval IsRapidStaging = if(DurationSecs < 300 and EventCount >= 10, 1, 0)
| sort by EventCount desc
| fields _timeslice, ComputerName, Actor, Image, CommandLine, StagingTypes, EventCount, UniqueFiles, DurationSecs, IsRapidStaging

Sumo Logic query detecting T1074 data staging behavior by parsing Windows Sysmon EventID 11 (file creation) in staging directories and EventID 1 (process create) for bulk copy utilities. Aggregates events per host/actor to identify bulk file staging patterns and archive creation.

medium severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Sysmon source Sumo Logic Cloud-to-Cloud Microsoft Windows Event Log source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Software deployment automation platforms (Ansible, Chef, Puppet) staging configuration or installation files in ProgramData or Temp directories during managed system configuration
Database backup utilities creating compressed archive files (.zip, .tar.gz) in ProgramData or Temp directories as part of scheduled backup routines
IT helpdesk or remote support tools (TeamViewer, ConnectWise, AnyDesk) that stage diagnostic files, logs, or remote session artifacts in AppData or Temp directories

Google Chronicle / SecOps

yaral

rule t1074_data_staged_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1074 data staging: bulk file creation or archive creation in common staging paths, and bulk copy commands targeting staging locations"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1074"
    mitre_attack_sub_technique = ""
    severity = "MEDIUM"
    priority = "MEDIUM"
    version = "1.0"

  events:
    (
      // Branch 1: Archive file creation in staging directories
      $e1.metadata.event_type = "FILE_CREATION"
      $e1.principal.hostname = $hostname
      $e1.principal.user.userid = $userid
      (
        re.regex($e1.target.file.full_path, `(?i)\\(Temp|tmp|AppData\\Local\\Temp|AppData\\Roaming|ProgramData|Users\\Public|Windows\\Temp)\\`)
      )
      (
        re.regex($e1.target.file.full_path, `(?i)\.(zip|7z|rar|tar|gz|cab|iso)$`)
      )
    )
    OR
    (
      // Branch 2: Bulk copy process targeting staging paths
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      $e1.principal.hostname = $hostname
      $e1.principal.user.userid = $userid
      (
        re.regex($e1.target.process.command_line, `(?i)(robocopy|xcopy|copy\s+/|Copy-Item|cp\s+-r)`)
      )
      (
        re.regex($e1.target.process.command_line, `(?i)\\(Temp|tmp|Public|ProgramData)\\`)
      )
    )

  match:
    $hostname, $userid over 10m

  outcome:
    $risk_score = max(
      if($e1.metadata.event_type = "FILE_CREATION", 50, 70)
    )
    $staging_path = array_distinct($e1.target.file.full_path)
    $process_name = array_distinct($e1.target.process.file.full_path)
    $command_line = array_distinct($e1.target.process.command_line)
    $event_count = count_distinct($e1.metadata.id)

  condition:
    $e1
}

Chronicle YARA-L 2.0 rule detecting T1074 data staging by identifying archive file creation in common staging directories and bulk copy command execution targeting staging paths. Correlates events by hostname and user within a 10-minute window using UDM event types FILE_CREATION and PROCESS_LAUNCH.

medium severity medium confidence

Data Sources

Google Chronicle SIEM with Windows Sysmon UDM ingestion Chronicle Unified Data Model (UDM) with endpoint telemetry Chronicle Google Workspace activity (for cloud staging variant)

Required Tables

UDM events (FILE_CREATION, PROCESS_LAUNCH)

False Positives

Enterprise software packaging workflows where administrators use robocopy or xcopy to distribute application packages to staging directories on endpoints before installation
Endpoint security or DLP agents that create archive snapshots of monitored directories in Temp or AppData for forensic preservation or policy enforcement
Cloud sync clients (OneDrive, Google Drive, Dropbox) staging large file sets in AppData\Roaming or AppData\Local\Temp before uploading to cloud storage

CrowdStrike LogScale (CQL)

cql

// Branch 1: Archive file creation in staging paths (Sysmon-equivalent via Falcon)
#event_simpleName=MotionCaptureFile OR #event_simpleName=NewExecutableWritten
| TargetFileName = /(?i)\\(Temp|tmp|AppData\\Local\\Temp|AppData\\Roaming|ProgramData|Users\\Public|Windows\\Temp)\\/
| TargetFileName = /(?i)\.(zip|7z|rar|tar\.gz|tar|gz|cab|iso)$/
| rename(field=UserName, as=Actor)
| rename(field=ComputerName, as=Hostname)
| groupBy([Hostname, Actor, ParentBaseFileName, CommandLine], function=[
    count(as=EventCount),
    collect(TargetFileName, as=StagingPaths, limit=20),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| EventCount := EventCount
| StagingType := "ArchiveCreated"
| sort(EventCount, order=desc)

// Branch 2: Bulk copy processes targeting staging directories
OR
#event_simpleName=ProcessRollup2
| FileName in ["robocopy.exe", "xcopy.exe", "cmd.exe", "powershell.exe"]
| CommandLine = /(?i)(robocopy|xcopy|copy\s+\/|Copy-Item|cp\s+-r)/
| CommandLine = /(?i)\\(Temp|tmp|Public|ProgramData)\\/
| rename(field=UserName, as=Actor)
| rename(field=ComputerName, as=Hostname)
| groupBy([Hostname, Actor, FileName, CommandLine], function=[
    count(as=EventCount),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| StagingType := "BulkCopyCommand"
| sort(EventCount, order=desc)

// Branch 3: High-volume file writes to staging paths within short window
| union
(
  #event_simpleName=MotionCaptureFile
  | TargetFileName = /(?i)\\(Temp|tmp|AppData\\Local\\Temp|AppData\\Roaming|ProgramData|Users\\Public|Windows\\Temp)\\/
  | rename(field=UserName, as=Actor)
  | rename(field=ComputerName, as=Hostname)
  | groupBy([Hostname, Actor, ParentBaseFileName, CommandLine], function=[
      count(as=EventCount),
      collect(TargetFileName, as=StagingPaths, limit=50),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen)
    ])
  | EventCount > 10
  | DurationSecs := (LastSeen - FirstSeen) / 1000
  | IsRapidStaging := if(DurationSecs < 300 AND EventCount >= 10, true(), false())
  | StagingType := "BulkFileStaging"
  | sort(EventCount, order=desc)
)

CrowdStrike LogScale (Falcon) query detecting T1074 data staging across three branches: archive file creation in staging paths using MotionCaptureFile events, bulk copy process execution via ProcessRollup2 events, and high-volume file writes to staging directories within short time windows. Uses native Falcon event types and LogScale aggregation functions.

medium severity medium confidence

Data Sources

CrowdStrike Falcon EDR with Enhanced Visibility telemetry Falcon sensor Process Rollup (ProcessRollup2) events Falcon MotionCaptureFile / NewExecutableWritten file events

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=MotionCaptureFile #event_simpleName=NewExecutableWritten

False Positives

CrowdStrike Real Time Response (RTR) sessions where incident responders or IT admins use built-in copy commands to collect forensic artifacts or deploy remediation scripts to staging paths
Software update mechanisms (e.g., Adobe Acrobat, Google Chrome, Microsoft 365) that stage update packages as archives in %TEMP% or %ProgramData% directories before applying updates
Data loss prevention (DLP) and CASB agents that scan or archive files in staging directories as part of content inspection workflows, generating high volumes of file events in short periods

Sigma rule & cross-platform mapping

The detection logic for Data Staged (T1074) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1074 Sigma rules on detection.fyi

Platform-specific guides for T1074

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (8)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Stage Sensitive Files to Temp Directory Using Robocopy
Expected signal: Sysmon Event ID 1: Process Create with Image=robocopy.exe, CommandLine containing source and destination temp paths with /E /COPYALL flags. Sysmon Event ID 11: Multiple FileCreate events in %TEMP%\df00tech-stage\ for each copied file. Security Event ID 4688 (if command line auditing enabled) for robocopy.exe execution. DeviceProcessEvents and DeviceFileEvents will capture this in MDE environments.
Test 2Stage and Compress Data Using 7-Zip from Command Line
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with copy command, then 7z.exe with -p flag (password) targeting staging directory. Sysmon Event ID 11: FileCreate events for each copied file in df00tech-collection\, then FileCreate for df00tech-exfil.zip. The -p flag in 7z.exe command line indicates password protection — a high-fidelity indicator of malicious intent.
Test 3Stage Data Using PowerShell Copy-Item to ProgramData
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Copy-Item in CommandLine targeting C:\ProgramData\MicrosoftUpdates. Sysmon Event ID 11: Multiple FileCreate events in C:\ProgramData\MicrosoftUpdates\. Sysmon Event ID 12/13: Registry or attribute change if attrib command is monitored. The directory name 'MicrosoftUpdates' is a common masquerading technique — look for this in DeviceFileEvents FolderPath.
Test 4Linux Data Staging Using cp and tar
Expected signal: Linux auditd syscall events (if configured): open/creat syscalls for files in /tmp/.df00tech_stage/, execve for cp, find, tar commands. Syslog entries if auditd rules cover /tmp/ writes. If Sysmon for Linux is deployed: Sysmon Event ID 11 for file creations, Event ID 1 for process creation with tar czf command. The hidden directory name (.df00tech_stage with leading dot) indicates deliberate concealment.
Test 5Remote Data Staging via Network Share Copy
Expected signal: Sysmon Event ID 1: Process Create for net.exe (net use) with UNC path and xcopy.exe with /E /H /Y flags. Sysmon Event ID 3: Network Connection to target host on port 445 (SMB). Sysmon Event ID 11: FileCreate events in staging directory. Security Event ID 4648 (explicit credential logon) if credentials were provided to net use. Security Event ID 5140/5145 (network share access) on the target host if SMB auditing is enabled.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1074 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data Staged

What is T1074 Data Staged?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1074

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Collection

Popular Detections

What is T1074 Data Staged?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1074

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox