MITRE ATT&CK Technique
Collection T1074.002
Description

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

Supported Platforms
Windows IaaS Linux macOS ESXi
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-03-13T21:14:58.206Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may stage data collected from multiple systems in '
                'a central location or directory on one system prior to '
                'Exfiltration. Data may be kept in separate files or combined '
                'into one file through techniques such as [Archive Collected '
                'Data](https://attack.mitre.org/techniques/T1560). Interactive '
                'command shells may be used, and common functionality within '
                '[cmd](https://attack.mitre.org/software/S0106) and bash may '
                'be used to copy data into a staging location.\n'
                '\n'
                'In cloud environments, adversaries may stage data within a '
                'particular instance or virtual machine before exfiltration. '
                'An adversary may [Create Cloud '
                'Instance](https://attack.mitre.org/techniques/T1578/002) and '
                'stage data in that instance.(Citation: Mandiant M-Trends '
                '2020)\n'
                '\n'
                'By staging data on one system prior to Exfiltration, '
                'adversaries can minimize the number of connections made to '
                'their C2 server and better evade detection.',
 'external_references': [{'external_id': 'T1074.002',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1074/002'},
                         {'description': 'Mandiant. (2020, February). M-Trends '
                                         '2020. Retrieved November 17, 2024.',
                          'source_name': 'Mandiant M-Trends 2020',
                          'url': 'https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf'}],
 'id': 'attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'collection'}],
 'modified': '2025-10-24T17:48:38.453Z',
 'name': 'Remote Data Staging',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Praetorian'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows', 'IaaS', 'Linux', 'macOS', 'ESXi'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (9)
Leviathan
High
Chimera
High
menuPass
High
FIN8
High
Threat Group-3390
High
View All 9 Actors
Back to TTPs
Dashboard About