Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0261: Detection of Local Data Staging Prior to Exfiltration

This detection strategy matters because local data staging is often the point where scattered sensitive files become a concentrated business risk before ex...

EnterpriseDET0261Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because local data staging is often the point where scattered sensitive files become a concentrated business risk before exfiltration. Even though the ATT&CK detection object itself has no official description or detection logic, its relationship to Local Data Staging (T1074.001) gives defenders a clear decision point: can the organization see unusual accumulation, copying, or archiving of data on endpoints and servers before it leaves the environment?

Executive priority

Prioritize this as a control-validation topic for incident readiness and data-loss resilience. Leaders should ask whether SOC and IR teams can identify suspicious local aggregation of sensitive data on Windows, Linux, macOS, and ESXi systems, and whether evidence is sufficient to support escalation, containment, and compliance reporting. The business value is not a single alert; it is proving that data collection before exfiltration is observable early enough to reduce impact.

Technical view

DET0261 detects T1074.001 Local Data Staging, a collection technique where adversaries may place collected data in a central local directory, separate files, or combined archives prior to exfiltration. Because the detection strategy object provides no official detection text and no platforms of its own, validation should be driven by the related technique context: monitor for abnormal file copy, movement, aggregation, and archive creation behavior on ESXi, Linux, macOS, and Windows where those platforms are in scope. SOC teams should correlate file-system activity, shell activity, and archive utility use with user, host, path, and data-sensitivity context.

Likely telemetry

  • Endpoint file creation, modification, rename, and copy activity
  • Process execution telemetry for command shells and archive utilities
  • Command-line telemetry where available
  • Directory/path monitoring for unusual staging locations or high-volume file accumulation
  • File size, count, and extension changes that indicate aggregation or archiving

Detection direction

  • Validate whether monitoring can distinguish routine administrative, backup, software deployment, and compression activity from unusual local data aggregation.
  • Tune detections around abnormal volume, timing, user context, destination directories, and archive creation rather than relying on a single filename or tool pattern.
  • Correlate staging indicators with preceding collection behavior and subsequent exfiltration-related alerts where available.
  • Check blind spots on servers, shared systems, virtualization infrastructure, and non-Windows endpoints, since the related technique includes ESXi, Linux, macOS, and Windows.
  • Confirm that command shell activity such as cmd or bash usage is logged with enough detail to support investigation, while avoiding broad rules that alert on normal scripting alone.

Mitigation priorities

  • First, ensure endpoint and server logging covers file activity, process execution, command-line details, and archive creation on in-scope platforms.
  • Next, baseline normal bulk-copy, backup, compression, and administrative workflows so detection engineering can reduce false positives.
  • Apply least-privilege access to sensitive repositories and local directories so unnecessary data aggregation is harder to perform.
  • Use data classification and access monitoring where available to prioritize alerts involving regulated, confidential, or operationally critical data.
  • Prepare IR playbooks for suspected staging events, including preservation of local files, process history, user context, and containment decision criteria.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, no official detection text, and no tactics or platforms directly assigned. The actionable context comes from its relationship to T1074.001 Local Data Staging, which is in the collection tactic and lists ESXi, Linux, macOS, and Windows platforms. Treat this as a validation and coverage-planning item rather than a ready-made analytic.

This take is limited to the supplied STIX fields, the MITRE external reference, and the relationship to T1074.001. It does not assert active exploitation, actor attribution, guaranteed detection, or environment-specific exposure. Local telemetry availability, data sensitivity, normal administrative workflows, and platform coverage must be confirmed by the organization.

Official MITRE ATT&CK definition

Detection of Local Data Staging Prior to Exfiltration

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1074.001 Local Data Staging Sub-technique This object detects Local Data Staging.
Relationship explorer

All related ATT&CK context

detects · Technique T1074.001: Local Data Staging Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9be22d15000eb1af...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9be22d15000e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0261
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use