T1074.002

Remote Data Staging

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

Microsoft Sentinel / Defender

kusto

let StagingPaths = dynamic([
  "\\Temp\\", "\\tmp\\", "\\Public\\", "\\ProgramData\\",
  "\\Windows\\Temp\\", "\\AppData\\Local\\Temp\\",
  "\\inetpub\\wwwroot\\", "\\wwwroot\\",
  "\\Users\\Public\\", "\\Recycle", "\\$Recycle"
]);
let StagingTools = dynamic([
  "xcopy", "robocopy", "copy", "move", "compress-archive",
  "zip", "7z", "rar", "tar", "compact"
]);
let LargeFileExtensions = dynamic([
  ".zip", ".rar", ".7z", ".tar", ".gz", ".bz2",
  ".cab", ".iso", ".lzh", ".arj"
]);
// Detection 1: Large archive files created in staging-like directories
let ArchiveInStagingDir = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (StagingPaths)
| where FileName has_any (LargeFileExtensions)
| project Timestamp, DeviceName, AccountName, FolderPath, FileName,
          FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, DetectionType = "ArchiveInStagingDir";
// Detection 2: xcopy/robocopy copying to remote UNC paths
let RemoteCopyTool = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("xcopy.exe", "robocopy.exe", "copy") or
        ProcessCommandLine has_any ("xcopy", "robocopy")
| where ProcessCommandLine has "\\\\"
| where ProcessCommandLine matches regex @"\\\\\\.+\\"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionType = "RemoteCopyToUNCPath";
// Detection 3: PowerShell/cmd copying to remote shares
let PSRemoteCopy = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
| where ProcessCommandLine has_any ("copy", "xcopy", "robocopy", "Move-Item", "Copy-Item")
| where ProcessCommandLine has "\\\\"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionType = "PSCmdRemoteCopy";
// Union all detections
ArchiveInStagingDir
| union RemoteCopyTool
| union PSRemoteCopy
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

IT backup solutions (Veeam, Backup Exec, Windows Server Backup) legitimately copy large volumes of files to remote UNC shares on a scheduled basis
Software deployment tools (SCCM, Intune, PDQ Deploy) using robocopy or xcopy to distribute installers to staging directories across the environment
Developers or build systems copying compiled artifacts to shared network paths (CI/CD pipelines using MSBuild, Jenkins agents)
System administrators running manual robocopy/xcopy migration jobs during server decommissions or data migrations
Antivirus or DLP solutions quarantining files to a centralized staging directory

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11))
| eval EventType=case(
    EventCode=1, "ProcessCreate",
    EventCode=11, "FileCreate",
    true(), "Unknown"
  )
| eval IsStagingPath=if(
    match(coalesce(TargetFilename, Image), "(?i)(\\\\temp\\\\|\\\\tmp\\\\|\\\\public\\\\|\\\\programdata\\\\|\\\\inetpub\\\\wwwroot\\\\|\\\\wwwroot\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\)"),
    1, 0)
| eval IsArchiveFile=if(
    match(lower(coalesce(TargetFilename, "")), "(\.zip|\.rar|\.7z|\.tar|\.gz|\.cab|\.iso|\.bz2)$"),
    1, 0)
| eval IsRemoteCopyTool=if(
    EventCode=1 AND match(lower(Image), "(xcopy\.exe|robocopy\.exe)"),
    1, 0)
| eval IsUNCTarget=if(
    EventCode=1 AND match(CommandLine, "\\\\\\\\[a-zA-Z0-9]"),
    1, 0)
| eval IsPSCopy=if(
    EventCode=1 AND match(lower(Image), "(powershell\.exe|pwsh\.exe|cmd\.exe)") AND
    match(lower(CommandLine), "(copy-item|move-item|xcopy|robocopy|copy\s|move\s)") AND
    match(CommandLine, "\\\\\\\\[a-zA-Z0-9]"),
    1, 0)
| eval StagingScore = IsStagingPath + IsArchiveFile + IsRemoteCopyTool + IsUNCTarget + IsPSCopy
| where StagingScore >= 1
| eval DetectionType=case(
    IsArchiveFile=1 AND IsStagingPath=1, "ArchiveInStagingDir",
    IsRemoteCopyTool=1 AND IsUNCTarget=1, "RemoteCopyToolToUNC",
    IsPSCopy=1, "PSCmdRemoteCopy",
    IsArchiveFile=1, "ArchiveFileCreated",
    IsStagingPath=1, "FileInStagingDir",
    true(), "OtherStagingIndicator"
  )
| table _time, host, User, Image, CommandLine, TargetFilename, ParentImage, ParentCommandLine,
        IsStagingPath, IsArchiveFile, IsRemoteCopyTool, IsUNCTarget, IsPSCopy,
        StagingScore, DetectionType, EventType
| sort - StagingScore, - _time

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT backup solutions (Veeam, Backup Exec, Windows Server Backup) legitimately copy large volumes of files to remote UNC shares on a scheduled basis
Software deployment tools (SCCM, Intune, PDQ Deploy) using robocopy or xcopy to distribute installers to staging directories across the environment
Developers or build systems copying compiled artifacts to shared network paths (CI/CD pipelines using MSBuild, Jenkins agents)
System administrators running manual robocopy/xcopy migration jobs during server decommissions or data migrations
Antivirus or DLP solutions quarantining files to a centralized staging directory

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "QIDNAME(qid)" AS event_name,
  "CATEGORYNAME(category)" AS category,
  LOGSOURCENAME(logsourceid) AS log_source,
  "CommandLine",
  "ParentImage",
  "Image",
  "TargetFilename",
  CASE
    WHEN LOWER("TargetFilename") MATCHES '.*\.(zip|rar|7z|tar\.gz|gz|bz2|cab|iso)$'
         AND LOWER("TargetFilename") MATCHES '.*(\\temp\\|\\tmp\\|\\public\\|\\programdata\\|\\appdata\\local\\temp\\|\\users\\public\\|\\inetpub\\wwwroot\\).*'
    THEN 'ArchiveInStagingDir'
    WHEN LOWER("Image") MATCHES '.*(xcopy\.exe|robocopy\.exe)$'
         AND "CommandLine" MATCHES '.*\\\\[a-zA-Z0-9].*'
    THEN 'RemoteCopyToolToUNC'
    WHEN LOWER("Image") MATCHES '.*(powershell\.exe|pwsh\.exe|cmd\.exe)$'
         AND LOWER("CommandLine") MATCHES '.*(copy-item|move-item|xcopy|robocopy|copy |move ).*'
         AND "CommandLine" MATCHES '.*\\\\[a-zA-Z0-9].*'
    THEN 'PSCmdRemoteCopy'
    ELSE 'OtherStagingIndicator'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12) -- Sysmon
  AND qid IN (
    SELECT qid FROM qidmap WHERE qidname IN ('Process Create', 'File created')
  )
  AND (
    (
      LOWER("TargetFilename") MATCHES '.*\.(zip|rar|7z|tar|gz|bz2|cab|iso|lzh|arj)$'
      AND LOWER("TargetFilename") MATCHES '.*(\\temp\\|\\tmp\\|\\public\\|\\programdata\\|\\appdata\\local\\temp\\|\\users\\public\\|\\inetpub\\|\\wwwroot\\).*'
    )
    OR (
      LOWER("Image") MATCHES '.*(xcopy\.exe|robocopy\.exe)$'
      AND "CommandLine" MATCHES '.*\\\\[a-zA-Z0-9].*'
    )
    OR (
      LOWER("Image") MATCHES '.*(powershell\.exe|pwsh\.exe|cmd\.exe)$'
      AND LOWER("CommandLine") MATCHES '.*(copy-item|move-item|xcopy|robocopy).*'
      AND "CommandLine" MATCHES '.*\\\\[a-zA-Z0-9].*'
    )
  )
  AND starttime > (NOW() - 86400000)
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon via Windows log source QRadar Windows Security DSM

Required Tables

events

False Positives

Automated nightly backup scripts using robocopy to replicate files to NAS devices or network shares as part of approved data protection policy
Application installers that extract archives to %TEMP% or %ProgramData% as part of normal installation workflows
Security scanning tools that create compressed snapshots of data in temp directories for hash verification purposes

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where (%"EventCode" = "1" OR %"EventCode" = "11") OR (EventID = 1 OR EventID = 11)
| parse field=TargetFilename "*" as target_filename nodrop
| parse field=Image "*" as process_image nodrop
| parse field=CommandLine "*" as command_line nodrop
| parse field=ParentImage "*" as parent_image nodrop
// Detect archive files created in staging paths
| eval is_staging_path = if(matches(toLowerCase(if(isNull(target_filename), "", target_filename)),
    ".*[\\\\](temp|tmp|public|programdata|appdata[\\\\]local[\\\\]temp|users[\\\\]public|inetpub[\\\\]wwwroot|wwwroot)[\\\\].*"), 1, 0)
| eval is_archive_file = if(matches(toLowerCase(if(isNull(target_filename), "", target_filename)),
    ".*\.(zip|rar|7z|tar|gz|bz2|cab|iso|lzh|arj)$"), 1, 0)
// Detect remote copy tool usage to UNC paths
| eval is_remote_copy_tool = if(matches(toLowerCase(if(isNull(process_image), "", process_image)),
    ".*(xcopy\.exe|robocopy\.exe)$") AND matches(if(isNull(command_line), "", command_line), ".*\\\\\\\\[a-zA-Z0-9].*"), 1, 0)
// Detect UNC target
| eval is_unc_target = if(matches(if(isNull(command_line), "", command_line),
    ".*\\\\\\\\[a-zA-Z0-9].*"), 1, 0)
// Detect PS/cmd remote copy
| eval is_ps_copy = if(matches(toLowerCase(if(isNull(process_image), "", process_image)),
    ".*(powershell\.exe|pwsh\.exe|cmd\.exe)$") AND
    matches(toLowerCase(if(isNull(command_line), "", command_line)),
    ".*(copy-item|move-item|xcopy|robocopy|copy |move ).*") AND
    matches(if(isNull(command_line), "", command_line), ".*\\\\\\\\[a-zA-Z0-9].*"), 1, 0)
| eval staging_score = is_staging_path + is_archive_file + is_remote_copy_tool + is_unc_target + is_ps_copy
| where staging_score >= 1
| eval detection_type = if(is_archive_file = 1 AND is_staging_path = 1, "ArchiveInStagingDir",
    if(is_remote_copy_tool = 1 AND is_unc_target = 1, "RemoteCopyToolToUNC",
    if(is_ps_copy = 1, "PSCmdRemoteCopy",
    if(is_archive_file = 1, "ArchiveFileCreated",
    if(is_staging_path = 1, "FileInStagingDir", "OtherStagingIndicator")))))
| fields _messageTime, Computer, User, process_image, command_line, target_filename, parent_image,
         is_staging_path, is_archive_file, is_remote_copy_tool, is_unc_target, is_ps_copy,
         staging_score, detection_type
| sort by staging_score desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Windows Source (Sysmon) Sumo Logic Installed Collector on Windows endpoints

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Enterprise file synchronization tools (Dropbox, OneDrive sync client, SharePoint mapped drives) that copy files including archives to shared network locations
CI/CD build agents (Jenkins, TeamCity) that archive build outputs to staging directories as part of release pipeline processes
DBA scripts that export and compress database backups to network shares via PowerShell scheduled tasks

Google Chronicle / SecOps

yaral

rule t1074_002_remote_data_staging {
  meta:
    author = "Detection Engineering"
    description = "Detects Remote Data Staging (T1074.002) - archive file creation in staging directories and remote copy tool usage to UNC paths"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1074.002"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1074/002/"
    created = "2026-04-13"
    version = "1.0"

  events:
    // Event variable for file creation in staging directory
    $file_event.metadata.event_type = "FILE_CREATION"
    $file_event.principal.hostname = $hostname
    (
      re.regex($file_event.target.file.full_path, `(?i)\\(temp|tmp|public|programdata|appdata\\local\\temp|users\\public|inetpub\\wwwroot|wwwroot)\\`)
    )
    re.regex($file_event.target.file.full_path, `(?i)\.(zip|rar|7z|tar|gz|bz2|cab|iso|lzh|arj)$`)

    // Event variable for process execution using copy/archive tools
    $proc_event.metadata.event_type = "PROCESS_LAUNCH"
    $proc_event.principal.hostname = $hostname
    (
      // Remote copy tools to UNC paths
      (
        re.regex($proc_event.target.process.file.full_path, `(?i)(xcopy\.exe|robocopy\.exe)$`) and
        re.regex($proc_event.target.process.command_line, `\\\\[a-zA-Z0-9]`)
      ) or
      // PowerShell/cmd remote copy
      (
        re.regex($proc_event.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe)$`) and
        re.regex($proc_event.target.process.command_line, `(?i)(copy-item|move-item|xcopy|robocopy)`) and
        re.regex($proc_event.target.process.command_line, `\\\\[a-zA-Z0-9]`)
      ) or
      // Compression tools creating archives
      re.regex($proc_event.target.process.file.full_path, `(?i)(7z\.exe|7za\.exe|rar\.exe|winrar\.exe|compact\.exe|tar\.exe)$`)
    )

  match:
    $hostname over 5m

  condition:
    $file_event and $proc_event
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) - File and Process events Chronicle Forwarder from Windows endpoints

Required Tables

FILE_CREATION UDM events PROCESS_LAUNCH UDM events

False Positives

Automated system imaging tools (Symantec Ghost, Clonezilla) that compress and stage disk images in temp directories before transferring to deployment servers
Log archival processes that regularly compress log files in ProgramData or temp directories and move them to centralized log storage via UNC shares
Software packaging tools (NSIS, InstallShield) that create compressed installer archives in staging directories during build processes

CrowdStrike LogScale (CQL)

cql

// Detection 1: Archive file creation in staging directories
#event_simpleName = "FileWritten"
| TargetFileName = /(?i)\.(zip|rar|7z|tar|gz|bz2|cab|iso|lzh|arj)$/
| TargetFileName = /(?i)\\(temp|tmp|public|programdata|appdata\\local\\temp|users\\public|inetpub\\wwwroot|wwwroot)\\/
| eval DetectionType = "ArchiveInStagingDir"
| table(_time, ComputerName, UserName, TargetFileName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType)

// Detection 2: xcopy/robocopy to remote UNC paths
| union [
  #event_simpleName = "ProcessRollup2"
  | ImageFileName = /(?i)(xcopy\.exe|robocopy\.exe)$/
  | CommandLine = /\\\\\\/
  | eval DetectionType = "RemoteCopyToolToUNC"
  | table(_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType)
]

// Detection 3: PowerShell/cmd staging via remote copy
| union [
  #event_simpleName = "ProcessRollup2"
  | ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe)$/
  | CommandLine = /(?i)(copy-item|move-item|xcopy|robocopy)/
  | CommandLine = /\\\\\\/
  | eval DetectionType = "PSCmdRemoteCopy"
  | table(_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType)
]

// Aggregate and sort
| groupBy([ComputerName, UserName, DetectionType, ImageFileName, CommandLine, ParentBaseFileName], function=([count(as=EventCount), min(_time, as=FirstSeen), max(_time, as=LastSeen)]))
| sort(LastSeen, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection Falcon Data Replicator (FDR) CrowdStrike LogScale (Humio)

Required Tables

#event_simpleName=FileWritten #event_simpleName=ProcessRollup2

False Positives

Endpoint management solutions (SCCM, Intune, Tanium) that deploy software packages by staging compressed installers to %ProgramData% or %TEMP% then executing them
Robocopy-based folder redirection or profile migration tasks executed by domain GPO scripts during user logon to corporate workstations
Developers using PowerShell Copy-Item in build scripts to publish artifacts to shared development network drives (e.g., \\buildserver\drops\)

Last updated: 2026-04-13 Research depth: deep

References (15)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1074.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Remote Data Staging

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections