Home/ATT&CK Technique/Remote Data Staging
ATT&CK Technique

Remote Data Staging

T1074.002 · collection

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance. By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

ESXiIaaSLinuxmacOSWindows

Actors Using This

8
russiaAPT28
russiaAPT29
russia_speaking_organized_cybercrimeDarkSide / BlackMatter
russia_speaking_organized_cybercrimeFIN8
predominantly_english_speaking_youth_organized_crimeLAPSUS$
predominantly_westernScattered Spider
chinaSilk Typhoon
russia_speaking_organized_cybercrimeTA505

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
persistence earlier
T1136.003 · Cloud Account ×29.75T1556.006 · Multi-Factor Authentication ×22.31
privilege-escalation earlier
T1134.001 · Token Impersonation/Theft ×14.88
credential-access earlier
T1621 · Multi-Factor Authentication Request Generation ×22.31T1003.004 · LSA Secrets ×21.25T1606.002 · SAML Tokens ×17.85T1528 · Steal Application Access Token ×17.00T1606 · Forge Web Credentials ×14.88
discovery earlier
T1087.004 · Cloud Account ×23.80
lateral-movement earlier
T1021.007 · Cloud Services ×29.75T1550.001 · Application Access Token ×20.82
collection same
T1213.002 · Sharepoint ×19.83
exfiltration later
T1030 · Data Transfer Size Limits ×17.00T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 Protocol ×16.53
other same
T1562.008 · Disable or Modify Cloud Logs ×29.75

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

D3FEND2 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin