DET0014: Detection of Data Staging Prior to Exfiltration
DET0014 is about recognizing when an adversary has gathered data into a staging location before exfiltration. For leaders, this matters because staging is...
Analyst context for executives and security teams
DET0014 is about recognizing when an adversary has gathered data into a staging location before exfiltration. For leaders, this matters because staging is often the point where a data-theft incident becomes measurable and containable: defenders may still have time to identify what was collected, stop outbound movement, preserve evidence, and support legal, regulatory, and business-impact decisions.
Executive priority
Prioritize this as a resilience and incident-readiness control for environments where sensitive data exists on systems aligned to the related ATT&CK technique T1074, including ESXi, IaaS, Linux, and macOS. Executives should ask whether SOC and IR teams can prove visibility into unusual file aggregation, archive creation, and movement into centralized directories before exfiltration occurs. This evidence is also useful for breach scoping, compliance reporting, and determining whether containment must focus on hosts, cloud storage, identities, or network egress.
Technical view
The supplied ATT&CK object has no official detection text and no platforms of its own, but it detects T1074 Data Staged under the collection tactic. Detection engineering should validate telemetry for signs that collected data is being copied, consolidated, or archived into staging locations. Focus on relationship-driven behaviors: command-shell activity, bash or cmd-style copy operations where applicable, archive creation related to collected data, and abnormal concentration of files in central directories or cloud/IaaS storage paths. Tune around legitimate backup, packaging, migration, and administrative workflows.
Likely telemetry
- File creation, modification, rename, and copy events showing bulk movement or consolidation
- Process execution telemetry for shells and file/archive utilities
- Command-line arguments where available
- Archive file creation and growth events
- Directory and storage object access logs for central staging locations
Detection direction
- Validate whether monitoring can distinguish ordinary administrative collection from unusual staging based on volume, destination path, file type, timing, and initiating account.
- Correlate file aggregation with archive creation techniques, because the related ATT&CK description notes that staged data may be combined into one file.
- Look for interactive shell-driven copy or consolidation behavior, especially where it is uncommon for the host, workload, or user.
- Baseline legitimate backup, log collection, deployment packaging, and data-processing jobs to reduce false positives.
- Correlate staging indicators with identity context, cloud audit events, and subsequent exfiltration-related telemetry to support incident triage.
Mitigation priorities
- Confirm sensitive data locations and expected administrative staging workflows before writing high-severity detections.
- Ensure logging is enabled for file activity, process execution, command lines, cloud/IaaS storage operations, and relevant identity activity.
- Restrict unnecessary write access to shared or central staging locations using least privilege.
- Apply data-handling controls such as approved transfer paths, retention rules, and monitoring for bulk aggregation.
- Prepare IR playbooks that preserve staged files, identify source data, determine responsible accounts/processes, and evaluate whether exfiltration followed.
Analyst notes and limits
This take is based on the detection strategy DET0014 and its stated relationship to ATT&CK technique T1074 Data Staged. The official DET0014 object supplied here does not include its own description, detection logic, tactics, or platforms, so practical guidance is derived conservatively from the relationship context and the related technique summary.
The source object is sparse. It does not provide official analytics, data components, thresholds, severity, or platform coverage for the detection strategy itself. Local environment baselines, logging configuration, and business-approved data movement patterns are required before operationalizing detections or assessing exposure.
Detection of Data Staging Prior to Exfiltration
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1074 | Data Staged | This object detects Data Staged. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 00ea1aebd66d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.