title: Data Staged (T1074)
id: df00tech-t1074
status: experimental
description: "Adversaries may stage collected data in a central location or directory prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries choose staging to minimize the number of connections made to their C2 server and better evade detection. Staging locations are commonly temp directories, user profile folders, or hidden directories. In cloud environments, adversaries may stage data within a particular instance before exfiltration."
references:
  - https://attack.mitre.org/techniques/T1074/
  - https://df00tech.com/detections/T1074
author: df00tech
date: 2026/04/18
tags:
  - attack.t1074
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installation processes that extract files to temp directories during setup (installers, MSI packages)"
  - "Backup agents (Veeam, Backup Exec, Windows Backup) that stage files before writing to backup media"
  - "Software deployment tools (SCCM, Intune) copying update packages to staging directories"
  - Log aggregation tools that collect and consolidate logs into a single directory for shipping
  - Developers using robocopy/xcopy in legitimate build scripts or deployment pipelines
level: high