T1074.002: Remote Data Staging
Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.[1]
By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.
Analyst context for executives and security teams
Remote Data Staging matters because it is often the last internal consolidation point before data leaves the environment. Instead of exfiltrating from every compromised system, an adversary may copy collected files to one host, directory, cloud instance, VM, or ESXi/IaaS-accessible location, sometimes archiving the data first. For leaders, this is a control-validation issue: can the organization see unusual internal data aggregation before it becomes an external data-loss event?
Executive priority
Prioritize this technique where sensitive data, regulated records, cloud workloads, or operationally critical systems are spread across many hosts. The business decision is not only whether perimeter exfiltration is monitored, but whether internal staging behavior is visible across Windows, Linux, macOS, ESXi, and IaaS environments. Relationship context shows this behavior is associated in ATT&CK with espionage, cybercrime, supply-chain, and sector-targeting campaigns/groups, so it is useful for incident scoping, audit evidence, and tabletop decisions around data exposure.
Technical view
SOC and IR teams should validate whether they can identify abnormal copying, aggregation, compression, and storage growth on a central system prior to exfiltration. ATT&CK provides no official detection text for this object, but the description supports looking for command-shell-driven copy activity via cmd or bash, creation/use of staging directories, archive creation linked to collected data, and cloud instance or VM use as an aggregation point. DET0071 is related as a detection strategy for Remote Data Staging Prior to Exfiltration and should be reviewed where available in the ATT&CK knowledge base.
Likely telemetry
- Endpoint process execution for cmd, bash, copy, archive, and file movement activity
- File creation, modification, and size-growth telemetry in unusual directories or central staging locations
- Internal network file transfer or host-to-host copy evidence
- Cloud audit logs for instance or virtual machine creation and data movement into an instance
- ESXi/IaaS workload, storage, and administrative activity logs where available
Detection direction
- Baseline normal administrative backup, deployment, and data-processing workflows to reduce false positives from legitimate bulk copying.
- Correlate many-to-one internal file movement with subsequent archive creation or outbound network activity.
- Look for staging on systems that do not normally serve as file repositories, jump hosts, backup nodes, or data-processing servers.
- In cloud environments, validate visibility into newly created or unusual instances/VMs used to receive data from other workloads.
- Account for blind spots where endpoint logging, cloud audit logging, ESXi telemetry, or internal east-west network visibility is incomplete.
Mitigation priorities
- Reduce unnecessary write access and lateral file-copy permissions to sensitive repositories and shared locations.
- Enforce least privilege and monitoring for cloud instance/VM creation and workload-to-workload data transfer.
- Maintain logging for process execution, file operations, cloud control-plane activity, and internal network movement across supported platforms.
- Segment sensitive systems and monitor permitted aggregation paths such as backup, file transfer, and administrative hosts.
- Validate incident response playbooks for identifying what data was staged, where it came from, whether it was archived, and whether exfiltration followed.
Analyst notes and limits
This is a collection-stage sub-technique of Data Staged (T1074) focused on staging data remotely or centrally before exfiltration. It is especially useful for detection engineering because it sits between collection and outbound theft, where internal telemetry may still provide containment and scoping opportunities.
ATT&CK does not provide official detection guidance for this object, and the supplied fields do not include mitigations. Recommendations are therefore conservative and derived from the official behavior description, platforms, tactics, and relationships. Environment-specific baselines are required to distinguish malicious staging from legitimate administration, backup, migration, or analytics workflows.
Remote Data Staging
Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.[1]
By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1074 | Data Staged | This object subtechnique of Data Staged. |
Groups, software, and campaigns
G0114: Chimera
G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
G1041: Sea Turtle
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
G0061: FIN8
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
G1019: MoustachedBouncer
MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.[1]
G1022: ToddyCat
G0037: FIN6
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
S1043: ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[1]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
C0002: Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | bdd5bbcf885d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant M-Trends 2020
Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack T1074.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.