T1074 CrowdStrike LogScale · LogScale

Detect Data Staged in CrowdStrike LogScale

Adversaries may stage collected data in a central location or directory prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries choose staging to minimize the number of connections made to their C2 server and better evade detection. Staging locations are commonly temp directories, user profile folders, or hidden directories. In cloud environments, adversaries may stage data within a particular instance before exfiltration.

MITRE ATT&CK

Tactic
Collection
Technique
T1074 Data Staged
Canonical reference
https://attack.mitre.org/techniques/T1074/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: Archive file creation in staging paths (Sysmon-equivalent via Falcon)
#event_simpleName=MotionCaptureFile OR #event_simpleName=NewExecutableWritten
| TargetFileName = /(?i)\\(Temp|tmp|AppData\\Local\\Temp|AppData\\Roaming|ProgramData|Users\\Public|Windows\\Temp)\\/
| TargetFileName = /(?i)\.(zip|7z|rar|tar\.gz|tar|gz|cab|iso)$/
| rename(field=UserName, as=Actor)
| rename(field=ComputerName, as=Hostname)
| groupBy([Hostname, Actor, ParentBaseFileName, CommandLine], function=[
    count(as=EventCount),
    collect(TargetFileName, as=StagingPaths, limit=20),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| EventCount := EventCount
| StagingType := "ArchiveCreated"
| sort(EventCount, order=desc)

// Branch 2: Bulk copy processes targeting staging directories
OR
#event_simpleName=ProcessRollup2
| FileName in ["robocopy.exe", "xcopy.exe", "cmd.exe", "powershell.exe"]
| CommandLine = /(?i)(robocopy|xcopy|copy\s+\/|Copy-Item|cp\s+-r)/
| CommandLine = /(?i)\\(Temp|tmp|Public|ProgramData)\\/
| rename(field=UserName, as=Actor)
| rename(field=ComputerName, as=Hostname)
| groupBy([Hostname, Actor, FileName, CommandLine], function=[
    count(as=EventCount),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| StagingType := "BulkCopyCommand"
| sort(EventCount, order=desc)

// Branch 3: High-volume file writes to staging paths within short window
| union
(
  #event_simpleName=MotionCaptureFile
  | TargetFileName = /(?i)\\(Temp|tmp|AppData\\Local\\Temp|AppData\\Roaming|ProgramData|Users\\Public|Windows\\Temp)\\/
  | rename(field=UserName, as=Actor)
  | rename(field=ComputerName, as=Hostname)
  | groupBy([Hostname, Actor, ParentBaseFileName, CommandLine], function=[
      count(as=EventCount),
      collect(TargetFileName, as=StagingPaths, limit=50),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen)
    ])
  | EventCount > 10
  | DurationSecs := (LastSeen - FirstSeen) / 1000
  | IsRapidStaging := if(DurationSecs < 300 AND EventCount >= 10, true(), false())
  | StagingType := "BulkFileStaging"
  | sort(EventCount, order=desc)
)
medium severity medium confidence

CrowdStrike LogScale (Falcon) query detecting T1074 data staging across three branches: archive file creation in staging paths using MotionCaptureFile events, bulk copy process execution via ProcessRollup2 events, and high-volume file writes to staging directories within short time windows. Uses native Falcon event types and LogScale aggregation functions.

Data Sources

CrowdStrike Falcon EDR with Enhanced Visibility telemetryFalcon sensor Process Rollup (ProcessRollup2) eventsFalcon MotionCaptureFile / NewExecutableWritten file events

Required Tables

#event_simpleName=ProcessRollup2#event_simpleName=MotionCaptureFile#event_simpleName=NewExecutableWritten

False Positives & Tuning

  • CrowdStrike Real Time Response (RTR) sessions where incident responders or IT admins use built-in copy commands to collect forensic artifacts or deploy remediation scripts to staging paths
  • Software update mechanisms (e.g., Adobe Acrobat, Google Chrome, Microsoft 365) that stage update packages as archives in %TEMP% or %ProgramData% directories before applying updates
  • Data loss prevention (DLP) and CASB agents that scan or archive files in staging directories as part of content inspection workflows, generating high volumes of file events in short periods
Download portable Sigma rule (.yml)

Other platforms for T1074

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stage Sensitive Files to Temp Directory Using Robocopy

    Expected signal: Sysmon Event ID 1: Process Create with Image=robocopy.exe, CommandLine containing source and destination temp paths with /E /COPYALL flags. Sysmon Event ID 11: Multiple FileCreate events in %TEMP%\df00tech-stage\ for each copied file. Security Event ID 4688 (if command line auditing enabled) for robocopy.exe execution. DeviceProcessEvents and DeviceFileEvents will capture this in MDE environments.

  2. Test 2Stage and Compress Data Using 7-Zip from Command Line

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with copy command, then 7z.exe with -p flag (password) targeting staging directory. Sysmon Event ID 11: FileCreate events for each copied file in df00tech-collection\, then FileCreate for df00tech-exfil.zip. The -p flag in 7z.exe command line indicates password protection — a high-fidelity indicator of malicious intent.

  3. Test 3Stage Data Using PowerShell Copy-Item to ProgramData

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Copy-Item in CommandLine targeting C:\ProgramData\MicrosoftUpdates. Sysmon Event ID 11: Multiple FileCreate events in C:\ProgramData\MicrosoftUpdates\. Sysmon Event ID 12/13: Registry or attribute change if attrib command is monitored. The directory name 'MicrosoftUpdates' is a common masquerading technique — look for this in DeviceFileEvents FolderPath.

  4. Test 4Linux Data Staging Using cp and tar

    Expected signal: Linux auditd syscall events (if configured): open/creat syscalls for files in /tmp/.df00tech_stage/, execve for cp, find, tar commands. Syslog entries if auditd rules cover /tmp/ writes. If Sysmon for Linux is deployed: Sysmon Event ID 11 for file creations, Event ID 1 for process creation with tar czf command. The hidden directory name (.df00tech_stage with leading dot) indicates deliberate concealment.

  5. Test 5Remote Data Staging via Network Share Copy

    Expected signal: Sysmon Event ID 1: Process Create for net.exe (net use) with UNC path and xcopy.exe with /E /H /Y flags. Sysmon Event ID 3: Network Connection to target host on port 445 (SMB). Sysmon Event ID 11: FileCreate events in staging directory. Security Event ID 4648 (explicit credential logon) if credentials were provided to net use. Security Event ID 5140/5145 (network share access) on the target host if SMB auditing is enabled.

Last updated: 2026-04-18 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1074 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1074.001Local Data StagingT1074.002Remote Data StagingT1560.001Archive via UtilityT1560.002Archive via LibraryT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1005Data from Local SystemT1039Data from Network Shared DriveT1025Data from Removable MediaT1083File and Directory DiscoveryT1119Automated Collection

Same Tactic: Collection

Popular Detections