Which SIEM platforms have a T1074.001 detection rule?

df00tech provides T1074.001 (Local Data Staging) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Local Data Staging (T1074.001)?

Detecting Local Data Staging requires the following data sources: Process: Process Creation, File: File Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1074.001 detection?

The T1074.001 detection is rated medium severity with medium confidence.

What are common false positives for T1074.001?

Common false positives for T1074.001 include: Backup software or IT tools (Acronis, Veeam, Windows Backup) writing archives to temp directories during scheduled backup jobs; Software installers and update mechanisms that extract files to %TEMP% or %ProgramData% as part of legitimate installation workflows; Log aggregation or diagnostic tools that consolidate logs into temp folders for upload to centralized logging systems.

T1074.001 Sumo Logic CSE · Sumo

Detect Local Data Staging in Sumo Logic CSE

Adversaries may stage collected data in a central location or directory on the local system prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries commonly use temp directories, hidden folders, or application data paths to aggregate stolen files, credentials, screenshots, keylogger output, and memory dumps before transferring them out. Interactive command shells (cmd.exe, bash) and scripting languages are frequently used to copy and consolidate data into staging locations.

MITRE ATT&CK

Tactic: Collection
Technique: T1074 Data Staged
Sub-technique: T1074.001 Local Data Staging
Canonical reference: https://attack.mitre.org/techniques/T1074/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventCode in ("1", "11", "4688")
| eval staging_path = if(
    matches(toLowerCase(coalesce(TargetFilename, CommandLine, "")),
      "(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\windows\\\\temp\\\\|\\\\appdata\\\\roaming\\\\)"
    ), 1, 0)
| eval bulk_copy = if(
    EventCode = "1" and
    matches(toLowerCase(CommandLine), "(xcopy|robocopy|\\bcopy\\b|\\bmove\\b|cp\\s|mv\\s)") and
    staging_path = 1, 1, 0)
| eval archive_creation = if(
    EventCode = "11" and
    matches(toLowerCase(TargetFilename), "(\.zip|\.rar|\.7z|\.tar|\.gz|\.tmp|\.dat|\.db|\.bak)$") and
    staging_path = 1, 1, 0)
| eval output_redirect = if(
    EventCode = "1" and
    matches(CommandLine, "(>>|>\\s+)") and
    staging_path = 1, 1, 0)
| eval staging_tools = if(
    EventCode = "1" and
    matches(toLowerCase(CommandLine), "(xcopy|robocopy|7z\.exe|winrar|compact\\s|tar\\s)"), 1, 0)
| eval SuspicionScore = bulk_copy + archive_creation + output_redirect + staging_tools
| where SuspicionScore > 0
| where !matches(toLowerCase(coalesce(Image, ParentImage, TargetFilename, "")),
    "(msmpeng|svchost|tiworker|wuauclt|msiexec|onedrive|teams|slack|acronis|veeam)")
| eval EventDescription = if(EventCode = "1", "Process Create",
    if(EventCode = "11", "File Create",
    if(EventCode = "4688", "Process Create (Security)", "Unknown")))
| eval ProcessOrFile = coalesce(Image, TargetFilename)
| eval CmdOrPath = coalesce(CommandLine, TargetFilename)
| fields _messageTime, Computer, User, EventCode, EventDescription, ProcessOrFile,
    CmdOrPath, ParentImage, ParentCommandLine,
    bulk_copy, archive_creation, output_redirect, staging_tools, SuspicionScore
| sort by _messageTime desc

high severity medium confidence

Detects T1074.001 Local Data Staging via Sumo Logic CSE using Sysmon Event IDs 1 and 11 alongside Security Event 4688. Applies a weighted scoring model across bulk copy operations, archive file creation in staging paths, output redirection into staging directories, and known staging tool usage.

Data Sources

Sumo Logic Cloud SIEM EnterpriseWindows Sysmon via Sumo Logic installed collectorWindows Security Event Log via Sumo Logic collector

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=windows/security

False Positives & Tuning

IT asset management and endpoint management platforms (Tanium, BigFix, Kaseya) use robocopy and xcopy extensively to distribute software packages and configuration files to staging directories
Security scanning tools and vulnerability assessment software create temporary database files (.db, .dat) in AppData and ProgramData during host enumeration and asset scanning
Legitimate archiving by users compressing project files or personal documents into zip or 7z archives in their Downloads or AppData directories before emailing or cloud-uploading

Download portable Sigma rule (.yml)

Other platforms for T1074.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Stage Files to Temp Directory Using CMD Copy
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and '%TEMP%\staging_test'. Sysmon Event ID 11: Multiple FileCreate events in the staging directory. Security Event ID 4688 (if command-line auditing enabled) showing the copy commands.
Test 2Stage Collected Output Using Append Redirect Operator
Expected signal: Sysmon Event ID 1: Multiple Process Create events for cmd.exe with CommandLine containing '>>' and the staging file path in %TEMP%. Sysmon Event ID 11: FileCreate/FileModify events for collected_data.tmp. The file grows with each command execution.
Test 3Stage Files with Hostname-Username Naming Convention
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing %COMPUTERNAME%_%USERNAME%.txt. Sysmon Event ID 11: FileCreate event in %TEMP% with filename matching Hostname_Username.txt pattern. PowerShell ScriptBlock Log Event ID 4104 with full script content.
Test 4Stage Data in Windows Registry (DarkWatchman Pattern)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe. Sysmon Event ID 13 (RegistryValueSet): Registry value CachedData set under HKCU\SOFTWARE\Microsoft\Notepad with large Base64-encoded data. DeviceRegistryEvents: RegistryValueSet event visible in MDE.

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1074.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Local Data Staging in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1074.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Collection

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1074.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox