title: Local Data Staging (T1074.001)
id: df00tech-t1074-001
status: experimental
description: "Adversaries may stage collected data in a central location or directory on the local system prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries commonly use temp directories, hidden folders, or application data paths to aggregate stolen files, credentials, screenshots, keylogger output, and memory dumps before transferring them out. Interactive command shells (cmd.exe, bash) and scripting languages are frequently used to copy and consolidate data into staging locations."
references:
  - https://attack.mitre.org/techniques/T1074/001/
  - https://df00tech.com/detections/T1074.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1074.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup software or IT tools (Acronis, Veeam, Windows Backup) writing archives to temp directories during scheduled backup jobs"
  - "Software installers and update mechanisms that extract files to %TEMP% or %ProgramData% as part of legitimate installation workflows"
  - Log aggregation or diagnostic tools that consolidate logs into temp folders for upload to centralized logging systems
  - "Developer workflows where build systems (MSBuild, CMake, npm) create temporary archives or data files in project directories"
level: medium