T1074.001 CrowdStrike LogScale · LogScale

Detect Local Data Staging in CrowdStrike LogScale

Adversaries may stage collected data in a central location or directory on the local system prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries commonly use temp directories, hidden folders, or application data paths to aggregate stolen files, credentials, screenshots, keylogger output, and memory dumps before transferring them out. Interactive command shells (cmd.exe, bash) and scripting languages are frequently used to copy and consolidate data into staging locations.

MITRE ATT&CK

Tactic
Collection
Technique
T1074 Data Staged
Sub-technique
T1074.001 Local Data Staging
Canonical reference
https://attack.mitre.org/techniques/T1074/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Detection 1: Bulk file copy operations into staging paths
#event_simpleName=ProcessRollup2
| FileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|xcopy\.exe|robocopy\.exe|bash|sh)$/
| CommandLine = /(?i)(xcopy|robocopy|\bcopy\b|\bmove\b|compress|7z|rar|zip|tar)/
| CommandLine = /(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\users\\public\\|\\appdata\\local\\temp\\|\\windows\\temp\\|\\appdata\\roaming\\)/
| eval bulk_copy = 1
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, bulk_copy])

union

// Detection 2: Archive file creation in staging paths via DNSRequest/FileCreate correlation
#event_simpleName=SyntheticProcessRollup2 OR #event_simpleName=PeFileWritten
| TargetFileName = /(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\users\\public\\|\\appdata\\local\\temp\\|\\windows\\temp\\)/
| TargetFileName = /(?i)\.(zip|rar|7z|tar|gz|tmp|dat|db|bak)$/
| ImageFileName != /(?i)(msmpeng|svchost|tiworker|wuauclt|msiexec|onedrive|teams|slack)\.exe/
| eval archive_creation = 1
| table([@timestamp, ComputerName, UserName, ImageFileName, TargetFileName, archive_creation])

union

// Detection 3: Output redirection into staging directories
#event_simpleName=ProcessRollup2
| FileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|bash|sh)$/
| CommandLine = /(>>|>\s)/
| CommandLine = /(?i)(\\temp\\|\\tmp\\|\\programdata\\|\\users\\public\\)/
| eval output_redirect = 1
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, output_redirect])

| groupBy([ComputerName, UserName], function=[
    count(bulk_copy, as=bulk_copy_count),
    count(archive_creation, as=archive_creation_count),
    count(output_redirect, as=redirect_count),
    collect([CommandLine, TargetFileName, FileName], multival=true)
  ])
| eval TotalScore = bulk_copy_count + archive_creation_count + redirect_count
| where TotalScore > 0
| sort(TotalScore, order=desc)
high severity medium confidence

Detects T1074.001 Local Data Staging in CrowdStrike Falcon LogScale (CQL) using ProcessRollup2 and PeFileWritten event types. Identifies bulk copy/archive tool execution targeting staging paths, archive file creation in temp/public directories by non-system processes, and output redirection from interactive shells. Groups results by host and user with a composite score.

Data Sources

CrowdStrike Falcon EDRFalcon LogScale (Humio)CrowdStrike Insight

Required Tables

#event_simpleName=ProcessRollup2#event_simpleName=PeFileWritten#event_simpleName=SyntheticProcessRollup2

False Positives & Tuning

  • CrowdStrike Falcon sensor updates and Real Time Response (RTR) sessions themselves can trigger ProcessRollup2 events for copy and archive operations when analysts are performing live response investigations on endpoints
  • Managed endpoint software deployment via tools like PDQ Deploy, Puppet, or Chef runs robocopy and xcopy to distribute configuration files and binaries into ProgramData staging directories
  • Developer CI/CD pipeline agents (Jenkins, GitHub Actions self-hosted runners, TeamCity agents) execute archive and copy commands during build artifact staging, particularly on build server endpoints
Download portable Sigma rule (.yml)

Other platforms for T1074.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stage Files to Temp Directory Using CMD Copy

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and '%TEMP%\staging_test'. Sysmon Event ID 11: Multiple FileCreate events in the staging directory. Security Event ID 4688 (if command-line auditing enabled) showing the copy commands.

  2. Test 2Stage Collected Output Using Append Redirect Operator

    Expected signal: Sysmon Event ID 1: Multiple Process Create events for cmd.exe with CommandLine containing '>>' and the staging file path in %TEMP%. Sysmon Event ID 11: FileCreate/FileModify events for collected_data.tmp. The file grows with each command execution.

  3. Test 3Stage Files with Hostname-Username Naming Convention

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing %COMPUTERNAME%_%USERNAME%.txt. Sysmon Event ID 11: FileCreate event in %TEMP% with filename matching Hostname_Username.txt pattern. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  4. Test 4Stage Data in Windows Registry (DarkWatchman Pattern)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe. Sysmon Event ID 13 (RegistryValueSet): Registry value CachedData set under HKCU\SOFTWARE\Microsoft\Notepad with large Base64-encoded data. DeviceRegistryEvents: RegistryValueSet event visible in MDE.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1074.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1074Data Staged

Related Sub-techniques

T1074.002Remote Data Staging

Related Techniques

T1074Data StagedT1560.001Archive via UtilityT1560.003Archive via Custom MethodT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1113Screen CaptureT1056.001KeyloggingT1555Credentials from Password StoresT1005Data from Local SystemT1059.001PowerShellT1059.003Windows Command Shell

Same Tactic: Collection

Popular Detections