MITRE ATT&CK Technique
Description
Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:58.938Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may stage collected data in a central location or '
'directory prior to Exfiltration. Data may be kept in separate '
'files or combined into one file through techniques such as '
'[Archive Collected '
'Data](https://attack.mitre.org/techniques/T1560). Interactive '
'command shells may be used, and common functionality within '
'[cmd](https://attack.mitre.org/software/S0106) and bash may '
'be used to copy data into a staging location.(Citation: PWC '
'Cloud Hopper April 2017)\n'
'\n'
'In cloud environments, adversaries may stage data within a '
'particular instance or virtual machine before exfiltration. '
'An adversary may [Create Cloud '
'Instance](https://attack.mitre.org/techniques/T1578/002) and '
'stage data in that instance.(Citation: Mandiant M-Trends '
'2020)\n'
'\n'
'Adversaries may choose to stage data from a victim network in '
'a centralized location prior to Exfiltration to minimize the '
'number of connections made to their C2 server and better '
'evade detection.',
'external_references': [{'external_id': 'T1074',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1074'},
{'description': 'Mandiant. (2020, February). M-Trends '
'2020. Retrieved November 17, 2024.',
'source_name': 'Mandiant M-Trends 2020',
'url': 'https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf'},
{'description': 'PwC and BAE Systems. (2017, April). '
'Operation Cloud Hopper. Retrieved '
'April 5, 2017.',
'source_name': 'PWC Cloud Hopper April 2017',
'url': 'https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf'}],
'id': 'attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'collection'}],
'modified': '2025-10-24T17:49:01.010Z',
'name': 'Data Staged',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Praetorian', 'Shane Tully, @securitygypsy'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'IaaS', 'Linux', 'macOS', 'ESXi'],
'x_mitre_version': '1.5'}