216.73.216.233

T1074.002: T1074.002

View on MITRE ATT&CK The MITRE Corporation · Published 13/03/2020 22:14 · Modified 06/05/2026 12:40

Essential information

MITRE technique ID
T1074.002
Confidence
100/100
Revoked
No
Published
13/03/2020 22:14
Modified
06/05/2026 12:40
Author / Source
The MITRE Corporation

Aliases

Remote Data Staging

Platforms

windows macos linux IaaS ESXi

Description

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

Kill chain phases

Kill chainPhase
mitre-attack collection

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.