T1074.002 Sumo Logic CSE · Sumo

Detect Remote Data Staging in Sumo Logic CSE

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

MITRE ATT&CK

Tactic
Collection
Technique
T1074 Data Staged
Sub-technique
T1074.002 Remote Data Staging
Canonical reference
https://attack.mitre.org/techniques/T1074/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where (%"EventCode" = "1" OR %"EventCode" = "11") OR (EventID = 1 OR EventID = 11)
| parse field=TargetFilename "*" as target_filename nodrop
| parse field=Image "*" as process_image nodrop
| parse field=CommandLine "*" as command_line nodrop
| parse field=ParentImage "*" as parent_image nodrop
// Detect archive files created in staging paths
| eval is_staging_path = if(matches(toLowerCase(if(isNull(target_filename), "", target_filename)),
    ".*[\\\\](temp|tmp|public|programdata|appdata[\\\\]local[\\\\]temp|users[\\\\]public|inetpub[\\\\]wwwroot|wwwroot)[\\\\].*"), 1, 0)
| eval is_archive_file = if(matches(toLowerCase(if(isNull(target_filename), "", target_filename)),
    ".*\.(zip|rar|7z|tar|gz|bz2|cab|iso|lzh|arj)$"), 1, 0)
// Detect remote copy tool usage to UNC paths
| eval is_remote_copy_tool = if(matches(toLowerCase(if(isNull(process_image), "", process_image)),
    ".*(xcopy\.exe|robocopy\.exe)$") AND matches(if(isNull(command_line), "", command_line), ".*\\\\\\\\[a-zA-Z0-9].*"), 1, 0)
// Detect UNC target
| eval is_unc_target = if(matches(if(isNull(command_line), "", command_line),
    ".*\\\\\\\\[a-zA-Z0-9].*"), 1, 0)
// Detect PS/cmd remote copy
| eval is_ps_copy = if(matches(toLowerCase(if(isNull(process_image), "", process_image)),
    ".*(powershell\.exe|pwsh\.exe|cmd\.exe)$") AND
    matches(toLowerCase(if(isNull(command_line), "", command_line)),
    ".*(copy-item|move-item|xcopy|robocopy|copy |move ).*") AND
    matches(if(isNull(command_line), "", command_line), ".*\\\\\\\\[a-zA-Z0-9].*"), 1, 0)
| eval staging_score = is_staging_path + is_archive_file + is_remote_copy_tool + is_unc_target + is_ps_copy
| where staging_score >= 1
| eval detection_type = if(is_archive_file = 1 AND is_staging_path = 1, "ArchiveInStagingDir",
    if(is_remote_copy_tool = 1 AND is_unc_target = 1, "RemoteCopyToolToUNC",
    if(is_ps_copy = 1, "PSCmdRemoteCopy",
    if(is_archive_file = 1, "ArchiveFileCreated",
    if(is_staging_path = 1, "FileInStagingDir", "OtherStagingIndicator")))))
| fields _messageTime, Computer, User, process_image, command_line, target_filename, parent_image,
         is_staging_path, is_archive_file, is_remote_copy_tool, is_unc_target, is_ps_copy,
         staging_score, detection_type
| sort by staging_score desc, _messageTime desc
high severity high confidence

Sumo Logic query detecting Remote Data Staging using a composite scoring approach across Sysmon Process Create (EventCode 1) and File Create (EventCode 11) events. Scores each event for staging path usage, archive file creation, remote copy tool execution, UNC path targeting, and PowerShell/cmd remote copy behavior.

Data Sources

Sumo Logic Windows Source (Sysmon)Sumo Logic Installed Collector on Windows endpoints

Required Tables

_sourceCategory=*windows*_sourceCategory=*sysmon*

False Positives & Tuning

  • Enterprise file synchronization tools (Dropbox, OneDrive sync client, SharePoint mapped drives) that copy files including archives to shared network locations
  • CI/CD build agents (Jenkins, TeamCity) that archive build outputs to staging directories as part of release pipeline processes
  • DBA scripts that export and compress database backups to network shares via PowerShell scheduled tasks
Download portable Sigma rule (.yml)

Other platforms for T1074.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stage Files to Remote SMB Share via xcopy

    Expected signal: Sysmon Event ID 1: Process Create for xcopy.exe with CommandLine containing UNC path '\\127.0.0.1\StagingTest$'. Sysmon Event ID 11: File Create events on the destination share. Security Event ID 5140 (if share auditing enabled): Network share 'StagingTest$' accessed. Security Event ID 4688 (if command line auditing enabled): xcopy.exe process creation with full command line.

  2. Test 2Archive and Stage Collected Files in Public Directory

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Compress-Archive' and 'C:\Users\Public'. Sysmon Event ID 11: File Create event for the .zip file in C:\Users\Public\staging_test\. PowerShell ScriptBlock Logging Event ID 4104: Records the Compress-Archive command.

  3. Test 3Stage Data in Web-Accessible Directory

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Compress-Archive' and 'C:\inetpub\wwwroot'. Sysmon Event ID 11: File Create event for the .zip file in C:\inetpub\wwwroot\uploads\. PowerShell ScriptBlock Logging Event ID 4104 with full command.

  4. Test 4Remote Staging via PowerShell Copy-Item to UNC Path

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Copy-Item' and '\\127.0.0.1\RemoteStage$'. Sysmon Event ID 11: File Create events on the destination share path. Sysmon Event ID 3: Network connection from powershell.exe to 127.0.0.1 on port 445 (SMB). Security Event ID 5140 (if share auditing enabled): Network share access event.

Last updated: 2026-04-13 Research depth: deep
References (15)

Unlock Pro Content

Get the full detection package for T1074.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1074Data Staged

Related Sub-techniques

T1074.001Local Data Staging

Related Techniques

T1074Data StagedT1074.001Local Data StagingT1560.001Archive via UtilityT1560.002Archive via LibraryT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1021.002SMB/Windows Admin SharesT1021.001Remote Desktop ProtocolT1039Data from Network Shared DriveT1005Data from Local SystemT1578.002Create Cloud InstanceT1083File and Directory Discovery

Same Tactic: Collection

Popular Detections