T1074.001

Local Data Staging

Adversaries may stage collected data in a central location or directory on the local system prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries commonly use temp directories, hidden folders, or application data paths to aggregate stolen files, credentials, screenshots, keylogger output, and memory dumps before transferring them out. Interactive command shells (cmd.exe, bash) and scripting languages are frequently used to copy and consolidate data into staging locations.

Microsoft Sentinel / Defender

kusto

let StagingPaths = dynamic([
  "\\Temp\\", "\\tmp\\", "\\AppData\\Local\\Temp\\",
  "\\AppData\\Roaming\\", "\\ProgramData\\",
  "\\Windows\\Temp\\", "\\Users\\Public\\",
  "\\Recycle", "\\$Recycle.Bin"
]);
let StagingExtensions = dynamic([
  ".zip", ".rar", ".7z", ".tar", ".gz",
  ".tmp", ".dat", ".db", ".bak"
]);
let StagingTools = dynamic([
  "xcopy", "robocopy", "copy", "move",
  "compress", "compact", "tar", "7z",
  "rar", "zip"
]);
// Detection 1: Bulk file copy operations into staging paths
let BulkFileCopy = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe") and
     ProcessCommandLine has_any (StagingTools) and
     ProcessCommandLine has_any (StagingPaths))
    or
    (FileName in~ ("xcopy.exe", "robocopy.exe") and
     ProcessCommandLine has_any (StagingPaths))
  )
| extend StagingIndicator = "BulkFileCopy";
// Detection 2: Suspicious file creation in staging paths
let SuspiciousFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (StagingPaths)
| where FileName has_any (StagingExtensions)
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "svchost.exe", "TiWorker.exe",
    "WindowsUpdate", "wuauclt.exe", "msiexec.exe",
    "OneDrive.exe", "Teams.exe", "Slack.exe")
| extend StagingIndicator = "SuspiciousFileCreation";
// Detection 3: Redirect operators appending output to files in staging dirs
let OutputRedirect = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh")
| where ProcessCommandLine matches regex @"(>>|>\s*[""']?)(.*)(\\Temp\\|\\tmp\\|\\ProgramData\\|\\Users\\Public\\)"
| extend StagingIndicator = "OutputRedirect";
union BulkFileCopy, SuspiciousFileCreation, OutputRedirect
| project Timestamp, DeviceName, AccountName,
  FileName, ProcessCommandLine, FolderPath,
  InitiatingProcessFileName, InitiatingProcessCommandLine,
  StagingIndicator
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Backup software or IT tools (Acronis, Veeam, Windows Backup) writing archives to temp directories during scheduled backup jobs
Software installers and update mechanisms that extract files to %TEMP% or %ProgramData% as part of legitimate installation workflows
Log aggregation or diagnostic tools that consolidate logs into temp folders for upload to centralized logging systems
Developer workflows where build systems (MSBuild, CMake, npm) create temporary archives or data files in project directories

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11))
| eval staging_path=if(
    match(lower(coalesce(TargetFilename, CommandLine, "")),
      "(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\windows\\\\temp\\\\|\\\\appdata\\\\roaming\\\\)"
    ), 1, 0)
| eval bulk_copy=if(
    EventCode=1 AND match(lower(CommandLine),
      "(xcopy|robocopy|\\bcopy\\b|\\bmove\\b|cp\\s|mv\\s)"
    ) AND staging_path=1, 1, 0)
| eval archive_creation=if(
    EventCode=11 AND match(lower(TargetFilename),
      "(\.zip|\.rar|\.7z|\.tar|\.gz|\.tmp|\.dat|\.db|\.bak)$"
    ) AND staging_path=1, 1, 0)
| eval output_redirect=if(
    EventCode=1 AND match(CommandLine, "(>>|>\s+)") AND staging_path=1, 1, 0)
| eval staging_tools=if(
    EventCode=1 AND match(lower(CommandLine),
      "(xcopy|robocopy|7z\.exe|winrar|compact\s|tar\s)"
    ), 1, 0)
| eval SuspicionScore=bulk_copy + archive_creation + output_redirect + staging_tools
| where SuspicionScore > 0
| eval EventDescription=case(
    EventCode=1, "Process Create",
    EventCode=11, "File Create",
    true(), "Unknown")
| eval ProcessOrFile=coalesce(Image, TargetFilename)
| eval CmdOrPath=coalesce(CommandLine, TargetFilename)
| where NOT match(lower(coalesce(Image, ParentImage, TargetFilename, "")),
    "(msmpeng|svchost|tiworker|wuauclt|msiexec|onedrive|teams|slack|acronis|veeam)")
| table _time, host, User, EventCode, EventDescription, ProcessOrFile,
    CmdOrPath, ParentImage, ParentCommandLine,
    bulk_copy, archive_creation, output_redirect, staging_tools, SuspicionScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup software or IT tools (Acronis, Veeam, Windows Backup) writing archives to temp directories during scheduled backup jobs
Software installers and update mechanisms that extract files to %TEMP% or %ProgramData% as part of legitimate installation workflows
Log aggregation or diagnostic tools that consolidate logs into temp folders for upload to centralized logging systems
Developer workflows where build systems (MSBuild, CMake, npm) create temporary archives or data files in project directories

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (
     (process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe") and
      process.args : ("*xcopy*", "*robocopy*", "*copy*", "*move*", "*compress*", "*tar*", "*7z*", "*rar*", "*zip*") and
      process.args : ("*\\Temp\\*", "*\\tmp\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\ProgramData\\*", "*\\Windows\\Temp\\*", "*\\Users\\Public\\*"))
     or
     (process.name in~ ("xcopy.exe", "robocopy.exe") and
      process.args : ("*\\Temp\\*", "*\\tmp\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*"))
     or
     (process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh") and
      process.command_line : ("*>>*", "*> *") and
      process.command_line : ("*\\Temp\\*", "*\\tmp\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*"))
   ) and
   not process.parent.name in~ ("MsMpEng.exe", "svchost.exe", "TiWorker.exe", "wuauclt.exe", "msiexec.exe")]
  [file where event.type == "creation" and
   file.path : ("*\\Temp\\*", "*\\tmp\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\ProgramData\\*", "*\\Windows\\Temp\\*", "*\\Users\\Public\\*") and
   file.extension in~ ("zip", "rar", "7z", "tar", "gz", "tmp", "dat", "db", "bak") and
   not process.name in~ ("MsMpEng.exe", "svchost.exe", "TiWorker.exe", "wuauclt.exe", "msiexec.exe", "OneDrive.exe", "Teams.exe", "Slack.exe")]

high severity medium confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Software installers and update agents (Windows Update, SCCM, Chocolatey) routinely extract archives and copy files into %TEMP% and %ProgramData% as part of normal installation workflows
Backup and sync tools such as Acronis, Veeam, OneDrive, and Dropbox frequently copy and archive files to staging directories before uploading or snapshotting
Developer toolchains (MSBuild, npm, cargo, pip) produce intermediate build artifacts and package archives in temp directories during compilation and dependency resolution

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "File Path" AS file_path,
  CATEGORYNAME(category) AS category_name,
  SUM(CASE WHEN
    LOWER("Command") MATCHES '(xcopy|robocopy|\\bcopy\\b|\\bmove\\b|cp\\s|mv\\s)'
    AND LOWER("Command") MATCHES '(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\windows\\\\temp\\\\)'
    THEN 1 ELSE 0 END) AS bulk_copy_score,
  SUM(CASE WHEN
    LOWER("File Path") MATCHES '(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\)'
    AND LOWER("File Path") MATCHES '(\.zip|\.rar|\.7z|\.tar|\.gz|\.tmp|\.dat|\.db|\.bak)$'
    THEN 1 ELSE 0 END) AS archive_creation_score,
  SUM(CASE WHEN
    "Command" MATCHES '(>>|>\\s+)'
    AND LOWER("Command") MATCHES '(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\)'
    THEN 1 ELSE 0 END) AS redirect_score,
  SUM(CASE WHEN
    LOWER("Command") MATCHES '(xcopy|robocopy|7z\.exe|winrar|compact\\s|tar\\s)'
    THEN 1 ELSE 0 END) AS staging_tool_score
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 352)
  AND devicetime > NOW() - 86400000
  AND (
    LOWER("Command") MATCHES '(xcopy|robocopy|\\bcopy\\b|zip|7z|rar|tar|compact)'
    OR LOWER("File Path") MATCHES '(\.zip|\.rar|\.7z|\.tar|\.gz|\.tmp|\.dat)$'
    OR "Command" MATCHES '(>>|>\\s+)'
  )
  AND NOT LOWER(COALESCE("Process Name", "")) MATCHES '(msmpeng|svchost|tiworker|wuauclt|msiexec|onedrive|teams|slack)'
GROUP BY event_time, log_source, username, sourceip, event_name, process_name, command_line, file_path, category_name
HAVING (bulk_copy_score + archive_creation_score + redirect_score + staging_tool_score) > 0
ORDER BY event_time DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (DSM) Microsoft Windows Sysmon DSM

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, Intune, WSUS) copy MSI packages and cab files into ProgramData and Windows\Temp during patch cycles, generating high volumes of matching events during maintenance windows
Log aggregation and SIEM forwarding agents commonly archive and stage collected log files in temp directories before shipping to centralized logging infrastructure
Automated database backup routines write .bak and .db files to staging directories as part of scheduled backup jobs, especially during overnight backup windows

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventCode in ("1", "11", "4688")
| eval staging_path = if(
    matches(toLowerCase(coalesce(TargetFilename, CommandLine, "")),
      "(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\windows\\\\temp\\\\|\\\\appdata\\\\roaming\\\\)"
    ), 1, 0)
| eval bulk_copy = if(
    EventCode = "1" and
    matches(toLowerCase(CommandLine), "(xcopy|robocopy|\\bcopy\\b|\\bmove\\b|cp\\s|mv\\s)") and
    staging_path = 1, 1, 0)
| eval archive_creation = if(
    EventCode = "11" and
    matches(toLowerCase(TargetFilename), "(\.zip|\.rar|\.7z|\.tar|\.gz|\.tmp|\.dat|\.db|\.bak)$") and
    staging_path = 1, 1, 0)
| eval output_redirect = if(
    EventCode = "1" and
    matches(CommandLine, "(>>|>\\s+)") and
    staging_path = 1, 1, 0)
| eval staging_tools = if(
    EventCode = "1" and
    matches(toLowerCase(CommandLine), "(xcopy|robocopy|7z\.exe|winrar|compact\\s|tar\\s)"), 1, 0)
| eval SuspicionScore = bulk_copy + archive_creation + output_redirect + staging_tools
| where SuspicionScore > 0
| where !matches(toLowerCase(coalesce(Image, ParentImage, TargetFilename, "")),
    "(msmpeng|svchost|tiworker|wuauclt|msiexec|onedrive|teams|slack|acronis|veeam)")
| eval EventDescription = if(EventCode = "1", "Process Create",
    if(EventCode = "11", "File Create",
    if(EventCode = "4688", "Process Create (Security)", "Unknown")))
| eval ProcessOrFile = coalesce(Image, TargetFilename)
| eval CmdOrPath = coalesce(CommandLine, TargetFilename)
| fields _messageTime, Computer, User, EventCode, EventDescription, ProcessOrFile,
    CmdOrPath, ParentImage, ParentCommandLine,
    bulk_copy, archive_creation, output_redirect, staging_tools, SuspicionScore
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Sysmon via Sumo Logic installed collector Windows Security Event Log via Sumo Logic collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

IT asset management and endpoint management platforms (Tanium, BigFix, Kaseya) use robocopy and xcopy extensively to distribute software packages and configuration files to staging directories
Security scanning tools and vulnerability assessment software create temporary database files (.db, .dat) in AppData and ProgramData during host enumeration and asset scanning
Legitimate archiving by users compressing project files or personal documents into zip or 7z archives in their Downloads or AppData directories before emailing or cloud-uploading

Google Chronicle / SecOps

yaral

rule t1074_001_local_data_staging {
  meta:
    author = "Detection Engineering"
    description = "Detects T1074.001 Local Data Staging - adversaries aggregating collected data in staging directories prior to exfiltration using bulk copy tools, archive utilities, or output redirection"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1074.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-13"

  events:
    (
      // Detection 1: Bulk file copy into staging paths
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.principal.process.command_line,
            `(?i)(xcopy|robocopy|\bcopy\b|\bmove\b|cp\s|mv\s)`)
        )
        and (
          re.regex($e.principal.process.command_line,
            `(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\users\\public\\|\\appdata\\local\\temp\\|\\windows\\temp\\|\\appdata\\roaming\\)`)
        )
      )
      or
      // Detection 2: Archive/temp file creation in staging paths
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path,
          `(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\users\\public\\|\\appdata\\local\\temp\\|\\windows\\temp\\)`)
        and re.regex($e.target.file.full_path,
          `(?i)\.(zip|rar|7z|tar|gz|tmp|dat|db|bak)$`)
        and not re.regex($e.principal.process.file.full_path,
          `(?i)(msmpeng|svchost|tiworker|wuauclt|msiexec|onedrive|teams|slack)\.exe`)
      )
      or
      // Detection 3: Output redirection into staging directories
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.principal.process.file.full_path,
          `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|bash|sh)$`)
        and re.regex($e.principal.process.command_line, `(>>|>\s)`)
        and re.regex($e.principal.process.command_line,
          `(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\users\\public\\)`)
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Windows endpoint telemetry via Chronicle forwarder Sysmon events normalized to UDM

Required Tables

UDM events (process_launch, file_creation)

False Positives

Windows operating system components including Windows Installer (msiexec.exe), CBS (TrustedInstaller.exe), and Windows Update frequently create .cab, .tmp, and .dat files in Windows\Temp during system update and component servicing operations
Enterprise backup agents (Veeam, Commvault, Acronis) execute robocopy and xcopy as child processes during incremental backup jobs, copying data to staging areas before off-site transfer
Application packaging tools (MSIX tooling, InstallShield, NSIS) create intermediate archive files in temp directories during the build and packaging process on developer workstations and build servers

CrowdStrike LogScale (CQL)

cql

// Detection 1: Bulk file copy operations into staging paths
#event_simpleName=ProcessRollup2
| FileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|xcopy\.exe|robocopy\.exe|bash|sh)$/
| CommandLine = /(?i)(xcopy|robocopy|\bcopy\b|\bmove\b|compress|7z|rar|zip|tar)/
| CommandLine = /(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\users\\public\\|\\appdata\\local\\temp\\|\\windows\\temp\\|\\appdata\\roaming\\)/
| eval bulk_copy = 1
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, bulk_copy])

union

// Detection 2: Archive file creation in staging paths via DNSRequest/FileCreate correlation
#event_simpleName=SyntheticProcessRollup2 OR #event_simpleName=PeFileWritten
| TargetFileName = /(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\users\\public\\|\\appdata\\local\\temp\\|\\windows\\temp\\)/
| TargetFileName = /(?i)\.(zip|rar|7z|tar|gz|tmp|dat|db|bak)$/
| ImageFileName != /(?i)(msmpeng|svchost|tiworker|wuauclt|msiexec|onedrive|teams|slack)\.exe/
| eval archive_creation = 1
| table([@timestamp, ComputerName, UserName, ImageFileName, TargetFileName, archive_creation])

union

// Detection 3: Output redirection into staging directories
#event_simpleName=ProcessRollup2
| FileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|bash|sh)$/
| CommandLine = /(>>|>\s)/
| CommandLine = /(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\users\\public\\)/
| eval output_redirect = 1
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, output_redirect])

| groupBy([ComputerName, UserName], function=[
    count(bulk_copy, as=bulk_copy_count),
    count(archive_creation, as=archive_creation_count),
    count(output_redirect, as=redirect_count),
    collect([CommandLine, TargetFileName, FileName], multival=true)
  ])
| eval TotalScore = bulk_copy_count + archive_creation_count + redirect_count
| where TotalScore > 0
| sort(TotalScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR Falcon LogScale (Humio) CrowdStrike Insight

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=PeFileWritten #event_simpleName=SyntheticProcessRollup2

False Positives

CrowdStrike Falcon sensor updates and Real Time Response (RTR) sessions themselves can trigger ProcessRollup2 events for copy and archive operations when analysts are performing live response investigations on endpoints
Managed endpoint software deployment via tools like PDQ Deploy, Puppet, or Chef runs robocopy and xcopy to distribute configuration files and binaries into ProgramData staging directories
Developer CI/CD pipeline agents (Jenkins, GitHub Actions self-hosted runners, TeamCity agents) execute archive and copy commands during build artifact staging, particularly on build server endpoints

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1074.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Local Data Staging

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections