DET0071: Detection of Remote Data Staging Prior to Exfiltration
This detection strategy matters because remote data staging is often the point where scattered collected data becomes a business-scale exfiltration risk. E...
Analyst context for executives and security teams
This detection strategy matters because remote data staging is often the point where scattered collected data becomes a business-scale exfiltration risk. Even without detailed MITRE detection guidance for DET0071, the related ATT&CK technique indicates defenders should look for data being consolidated into a central location before exfiltration, including on ESXi, IaaS, Linux, and macOS environments.
Executive priority
Treat this as a resilience and incident-response decision point: if the organization cannot see unusual consolidation of files, archive creation, or large copy activity in critical server, cloud, or virtualization environments, it may discover data theft too late. Leaders should ask whether SOC monitoring, cloud logging, and IR playbooks can identify and contain staging activity before outbound exfiltration occurs.
Technical view
DET0071 detects T1074.002 Remote Data Staging, a collection-phase behavior where adversaries may move data from multiple systems into a central location or directory before exfiltration. SOC and detection teams should validate visibility across the related platforms listed by ATT&CK: ESXi, IaaS, Linux, and macOS. Practical validation should focus on unusual file aggregation, shell-driven copy activity, creation of large or numerous files in centralized paths, and archive creation where data is combined before transfer.
Likely telemetry
- File creation, modification, rename, and deletion events on servers and shared locations
- Process and command execution telemetry for interactive shells and copy/archive utilities
- Authentication and session activity tied to systems used as staging locations
- IaaS audit logs for storage, compute, and administrative activity
- ESXi management and datastore activity logs where available
Detection direction
- Baseline normal bulk copy, backup, administrative, and data-processing activity to reduce false positives.
- Look for many-to-one data movement patterns where multiple systems write to or transfer data into a central host, directory, datastore, or cloud location.
- Correlate archive creation with preceding file collection or copy activity, especially when performed from interactive shells.
- Tune separately for ESXi, IaaS, Linux, and macOS because telemetry sources and normal administrative patterns differ.
- Treat detection as a precursor signal: remote staging alone may not prove exfiltration, but it should raise priority when followed by unusual outbound transfer or access changes.
Mitigation priorities
- Prioritize logging and retention for file, process, shell, cloud control-plane, and virtualization management activity on systems that could become staging points.
- Limit unnecessary write access to central directories, datastores, and cloud storage locations using least privilege.
- Review administrative workflows that legitimately consolidate large data volumes so detection rules can distinguish expected operations from suspicious staging.
- Ensure incident response playbooks include containment steps for suspected staging hosts, preservation of file/process evidence, and review for subsequent exfiltration activity.
- Use vulnerability and asset prioritization to identify high-value systems where loss of visibility into staging would create material business or compliance risk.
Analyst notes and limits
The ATT&CK object itself has no official description, tactics, platforms, or detection text. The useful context comes from its relationship to T1074.002 Remote Data Staging, which is a collection technique associated with ESXi, IaaS, Linux, and macOS. Detection engineering should therefore be validated against local data movement patterns and available telemetry rather than treated as a ready-made analytic.
This take is based only on the supplied STIX fields, external reference, and the stated relationship to T1074.002. It does not establish active exploitation, attribution, impact, or guaranteed detectability. Local architecture, logging coverage, retention, and administrative workflows are required to determine real detection coverage.
Detection of Remote Data Staging Prior to Exfiltration
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | This object detects Remote Data Staging. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f79c2078a7fe… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0071Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.