Which SIEM platforms have a T1074 detection rule?

df00tech provides T1074 (Data Staged) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Data Staged (T1074)?

Detecting Data Staged requires the following data sources: File: File Creation, File: File Modification, Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1074 detection?

The T1074 detection is rated high severity with medium confidence.

What are common false positives for T1074?

Common false positives for T1074 include: Software installation processes that extract files to temp directories during setup (installers, MSI packages); Backup agents (Veeam, Backup Exec, Windows Backup) that stage files before writing to backup media; Software deployment tools (SCCM, Intune) copying update packages to staging directories.

T1074 Elastic Security · Elastic

Detect Data Staged in Elastic Security

Adversaries may stage collected data in a central location or directory prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries choose staging to minimize the number of connections made to their C2 server and better evade detection. Staging locations are commonly temp directories, user profile folders, or hidden directories. In cloud environments, adversaries may stage data within a particular instance before exfiltration.

MITRE ATT&CK

Tactic: Collection
Technique: T1074 Data Staged
Canonical reference: https://attack.mitre.org/techniques/T1074/

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by host.name, user.name with maxspan=10m
  [file where event.action in ("creation", "overwrite") and
   file.path : ("*\\Temp\\*", "*\\tmp\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*") and
   not process.name in ("MsMpEng.exe", "SenseIR.exe", "WindowsDefender.exe", "svchost.exe")
  ] with runs=10

OR

any where
  (event.category == "file" and event.action in ("creation", "overwrite") and
   file.path : ("*\\Temp\\*", "*\\tmp\\*", "*\\AppData\\Local\\Temp\\*", "*\\Users\\Public\\*", "*\\ProgramData\\*", "*\\Windows\\Temp\\*") and
   file.extension in ("zip", "7z", "rar", "tar", "gz", "cab", "iso"))
  OR
  (event.category == "process" and event.type == "start" and
   process.name in ("robocopy.exe", "xcopy.exe", "cmd.exe", "powershell.exe") and
   process.args : ("*robocopy*", "*xcopy*", "*copy /*", "*Copy-Item*") and
   process.command_line : ("*\\Temp\\*", "*\\tmp\\*", "*\\Public\\*", "*\\ProgramData\\*"))

medium severity medium confidence

Detects data staging behavior consistent with T1074 by identifying bulk file creation in common staging directories, archive file creation in staging paths, and bulk copy commands targeting staging locations. Uses ECS fields from Elastic endpoint and Sysmon integrations.

Data Sources

Elastic Endpoint SecurityElastic Agent with Sysmon integrationWindows Event Logs via Filebeat

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.process-*logs-system.security-*

False Positives & Tuning

Software installation or update processes that stage files in Temp directories (e.g., Windows Update, MSI installers, package managers like Chocolatey)
Backup software (e.g., Veeam, Acronis, Windows Backup) creating archive files in ProgramData or Temp directories as part of legitimate backup jobs
Developer tooling such as build systems (MSBuild, CMake), CI/CD agents (Jenkins, GitLab Runner), or Docker image layers staging files during compilation or container builds

Download portable Sigma rule (.yml)

Other platforms for T1074

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Stage Sensitive Files to Temp Directory Using Robocopy
Expected signal: Sysmon Event ID 1: Process Create with Image=robocopy.exe, CommandLine containing source and destination temp paths with /E /COPYALL flags. Sysmon Event ID 11: Multiple FileCreate events in %TEMP%\df00tech-stage\ for each copied file. Security Event ID 4688 (if command line auditing enabled) for robocopy.exe execution. DeviceProcessEvents and DeviceFileEvents will capture this in MDE environments.
Test 2Stage and Compress Data Using 7-Zip from Command Line
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with copy command, then 7z.exe with -p flag (password) targeting staging directory. Sysmon Event ID 11: FileCreate events for each copied file in df00tech-collection\, then FileCreate for df00tech-exfil.zip. The -p flag in 7z.exe command line indicates password protection — a high-fidelity indicator of malicious intent.
Test 3Stage Data Using PowerShell Copy-Item to ProgramData
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Copy-Item in CommandLine targeting C:\ProgramData\MicrosoftUpdates. Sysmon Event ID 11: Multiple FileCreate events in C:\ProgramData\MicrosoftUpdates\. Sysmon Event ID 12/13: Registry or attribute change if attrib command is monitored. The directory name 'MicrosoftUpdates' is a common masquerading technique — look for this in DeviceFileEvents FolderPath.
Test 4Linux Data Staging Using cp and tar
Expected signal: Linux auditd syscall events (if configured): open/creat syscalls for files in /tmp/.df00tech_stage/, execve for cp, find, tar commands. Syslog entries if auditd rules cover /tmp/ writes. If Sysmon for Linux is deployed: Sysmon Event ID 11 for file creations, Event ID 1 for process creation with tar czf command. The hidden directory name (.df00tech_stage with leading dot) indicates deliberate concealment.
Test 5Remote Data Staging via Network Share Copy
Expected signal: Sysmon Event ID 1: Process Create for net.exe (net use) with UNC path and xcopy.exe with /E /H /Y flags. Sysmon Event ID 3: Network Connection to target host on port 445 (SMB). Sysmon Event ID 11: FileCreate events in staging directory. Security Event ID 4648 (explicit credential logon) if credentials were provided to net use. Security Event ID 5140/5145 (network share access) on the target host if SMB auditing is enabled.

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1074 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Data Staged in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1074

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Related Techniques

Same Tactic: Collection

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1074

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (2)

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox