T1074.001 Microsoft Sentinel · KQL

Detect Local Data Staging in Microsoft Sentinel

Adversaries may stage collected data in a central location or directory on the local system prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries commonly use temp directories, hidden folders, or application data paths to aggregate stolen files, credentials, screenshots, keylogger output, and memory dumps before transferring them out. Interactive command shells (cmd.exe, bash) and scripting languages are frequently used to copy and consolidate data into staging locations.

MITRE ATT&CK

Tactic
Collection
Technique
T1074 Data Staged
Sub-technique
T1074.001 Local Data Staging
Canonical reference
https://attack.mitre.org/techniques/T1074/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let StagingPaths = dynamic([
  "\\Temp\\", "\\tmp\\", "\\AppData\\Local\\Temp\\",
  "\\AppData\\Roaming\\", "\\ProgramData\\",
  "\\Windows\\Temp\\", "\\Users\\Public\\",
  "\\Recycle", "\\$Recycle.Bin"
]);
let StagingExtensions = dynamic([
  ".zip", ".rar", ".7z", ".tar", ".gz",
  ".tmp", ".dat", ".db", ".bak"
]);
let StagingTools = dynamic([
  "xcopy", "robocopy", "copy", "move",
  "compress", "compact", "tar", "7z",
  "rar", "zip"
]);
// Detection 1: Bulk file copy operations into staging paths
let BulkFileCopy = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe") and
     ProcessCommandLine has_any (StagingTools) and
     ProcessCommandLine has_any (StagingPaths))
    or
    (FileName in~ ("xcopy.exe", "robocopy.exe") and
     ProcessCommandLine has_any (StagingPaths))
  )
| extend StagingIndicator = "BulkFileCopy";
// Detection 2: Suspicious file creation in staging paths
let SuspiciousFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (StagingPaths)
| where FileName has_any (StagingExtensions)
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "svchost.exe", "TiWorker.exe",
    "WindowsUpdate", "wuauclt.exe", "msiexec.exe",
    "OneDrive.exe", "Teams.exe", "Slack.exe")
| extend StagingIndicator = "SuspiciousFileCreation";
// Detection 3: Redirect operators appending output to files in staging dirs
let OutputRedirect = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh")
| where ProcessCommandLine matches regex @"(>>|>\s*[""']?)(.*)(\\Temp\\|\\tmp\\|\\ProgramData\\|\\Users\\Public\\)"
| extend StagingIndicator = "OutputRedirect";
union BulkFileCopy, SuspiciousFileCreation, OutputRedirect
| project Timestamp, DeviceName, AccountName,
  FileName, ProcessCommandLine, FolderPath,
  InitiatingProcessFileName, InitiatingProcessCommandLine,
  StagingIndicator
| sort by Timestamp desc
medium severity medium confidence

Detects local data staging activity using Microsoft Defender for Endpoint tables. Combines three signals: (1) bulk file copy tools (xcopy, robocopy, cmd/PowerShell copy commands) targeting staging directories; (2) archive or data file creation in temp/public/appdata paths by suspicious initiating processes; (3) shell output redirection (>>) writing to staging directories. Covers common staging paths including Temp, ProgramData, and Users\Public.

Data Sources

Process: Process CreationFile: File CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Backup software or IT tools (Acronis, Veeam, Windows Backup) writing archives to temp directories during scheduled backup jobs
  • Software installers and update mechanisms that extract files to %TEMP% or %ProgramData% as part of legitimate installation workflows
  • Log aggregation or diagnostic tools that consolidate logs into temp folders for upload to centralized logging systems
  • Developer workflows where build systems (MSBuild, CMake, npm) create temporary archives or data files in project directories
Download portable Sigma rule (.yml)

Other platforms for T1074.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stage Files to Temp Directory Using CMD Copy

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and '%TEMP%\staging_test'. Sysmon Event ID 11: Multiple FileCreate events in the staging directory. Security Event ID 4688 (if command-line auditing enabled) showing the copy commands.

  2. Test 2Stage Collected Output Using Append Redirect Operator

    Expected signal: Sysmon Event ID 1: Multiple Process Create events for cmd.exe with CommandLine containing '>>' and the staging file path in %TEMP%. Sysmon Event ID 11: FileCreate/FileModify events for collected_data.tmp. The file grows with each command execution.

  3. Test 3Stage Files with Hostname-Username Naming Convention

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing %COMPUTERNAME%_%USERNAME%.txt. Sysmon Event ID 11: FileCreate event in %TEMP% with filename matching Hostname_Username.txt pattern. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  4. Test 4Stage Data in Windows Registry (DarkWatchman Pattern)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe. Sysmon Event ID 13 (RegistryValueSet): Registry value CachedData set under HKCU\SOFTWARE\Microsoft\Notepad with large Base64-encoded data. DeviceRegistryEvents: RegistryValueSet event visible in MDE.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1074.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1074Data Staged

Related Sub-techniques

T1074.002Remote Data Staging

Related Techniques

T1074Data StagedT1560.001Archive via UtilityT1560.003Archive via Custom MethodT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1113Screen CaptureT1056.001KeyloggingT1555Credentials from Password StoresT1005Data from Local SystemT1059.001PowerShellT1059.003Windows Command Shell

Same Tactic: Collection

Popular Detections