title: Remote Data Staging (T1074.002)
id: df00tech-t1074-002
status: experimental
description: "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection."
references:
  - https://attack.mitre.org/techniques/T1074/002/
  - https://df00tech.com/detections/T1074.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1074.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT backup solutions (Veeam, Backup Exec, Windows Server Backup) legitimately copy large volumes of files to remote UNC shares on a scheduled basis"
  - "Software deployment tools (SCCM, Intune, PDQ Deploy) using robocopy or xcopy to distribute installers to staging directories across the environment"
  - "Developers or build systems copying compiled artifacts to shared network paths (CI/CD pipelines using MSBuild, Jenkins agents)"
  - System administrators running manual robocopy/xcopy migration jobs during server decommissions or data migrations
  - Antivirus or DLP solutions quarantining files to a centralized staging directory
level: high