Skip to content

DET0071 Detection of Remote Data Staging Prior to Exfiltration

Item Value
ID DET0071
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1074.002 (Remote Data Staging)

Analytics

Windows

AN0194

Detects file transfers or mounting operations from remote hosts followed by write actions into a local staging directory, often using SMB or remote shell activity.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Network Share Access (DC0102) WinEventLog:Microsoft-Windows-SMBClient/Security EventCode=31001
Command Execution (DC0064) WinEventLog:PowerShell CommandLine=copy-item or robocopy from UNC path
Mutable Elements
Field Description
StagingDirectory Common directories such as C:\Temp, Downloads, or hidden folders used for remote staging
RemotePathPatterns UNC paths like \10.* or \domain\share indicating lateral data staging
CopyToolPatterns Usage of robocopy, xcopy, copy-item, or scheduled tasks performing cross-host copies

Linux

AN0195

Detects inbound SCP, rsync, or NFS mounts from remote systems followed by aggregation of files into known staging paths like /mnt/staging or /var/tmp.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Content (DC0085) NSM:Flow SSH logins or scp activity
Mutable Elements
Field Description
RemoteHosts Expected inbound transfer hosts to filter normal activity from staging behavior
MountTargets Directory destinations used as centralized locations
TransferVolumeThreshold Threshold of transferred files or data volume over time

macOS

AN0196

Detects rsync or scp inbound from other hosts that then aggregate content into /Users/Shared or /private/tmp, often involving compressed files or scripts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog exec logs
File Creation (DC0039) macos:unifiedlog file events
Network Traffic Content (DC0085) NSM:Flow remote login and transfer
Mutable Elements
Field Description
StagingPaths Monitored remote-to-local write destinations such as /Users/Shared
CompressionIndicators Presence of .zip, .7z, or tar.gz indicating consolidation
TimeWindow Temporal correlation of transfer and staging write operations

ESXi

AN0197

Detects remote writes or snapshots mounted from other systems into a central ESXi VMFS path or NFS store used for remote staging of files before exfiltration.

Log Sources
Data Component Name Channel
File Creation (DC0039) esxi:vmkernel VMFS file creation
Network Traffic Content (DC0085) esxi:vob NFS/remote access logs
Command Execution (DC0064) esxi:shell invoked remote scripts (esxcli)
Mutable Elements
Field Description
SnapshotFrequency How often snapshots are mounted or restored from peer nodes
RemoteWriteVolume Threshold for staging behavior vs. backup/operational activity
StorageMountPaths Common local destinations for incoming data

IaaS

AN0198

Detects remote write activity across cloud VMs or object storage buckets within the same region/account that correlate with data aggregation across hosts.

Log Sources
Data Component Name Channel
Cloud Storage Access (DC0025) AWS:CloudTrail GetObject, CopyObject
Network Traffic Content (DC0085) AWS:VPCFlowLogs Traffic between instances
Process Creation (DC0032) esxi:hostd process execution across cloud VM
Mutable Elements
Field Description
BucketNamePatterns Destination naming convention used for staging (e.g., temp-store)
IAMContext IAM role or user performing multi-host write ops
TransferWindow Burst of high-volume inter-VM transfers indicating staging