Identify Data Staging and Compression Activity

AnalysisP260 min
📤 Data Exfiltration🔒 Ransomware👤 Insider Threat
IR AnalystSwitch roles in the top navigation to see different perspectives.

Detect evidence of data staging -- where the attacker collected, compressed, or encrypted files prior to exfiltration. Staging typically involves archive creation in temp directories, renamed extensions, or staging on a network share before transfer.

Actions

  1. 1.Search for archive creation using common staging tools: `DeviceProcessEvents | where FileName in~ ("7z.exe","rar.exe","winrar.exe","zip.exe","tar.exe","makecab.exe") | project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName`.
  2. 2.Hunt for renamed archive tools or LOLBins used for compression: check for `compact.exe /c`, `certutil -encode`, or PowerShell `Compress-Archive` commands across EDR telemetry.
  3. 3.Identify large file creation events in staging directories: `DeviceFileEvents | where FolderPath matches regex @"(?i)(\\temp\\|\\staging\\|\\public\\|C:\\PerfLogs)" | where FileSize > 50000000 | project Timestamp, DeviceName, FileName, FolderPath, FileSize`.
  4. 4.Run Velociraptor artifact `Windows.Search.FileFinder` to locate recently created archives (.7z, .zip, .rar, .tar.gz) across all in-scope hosts: filter by create timestamp within the investigation window.
  5. 5.Correlate staging activity with subsequent network transfers: pivot from the staging host and timestamp to outbound connections within the next 1-4 hours in firewall/proxy logs.

Queries

DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ProcessCommandLine has_any ("7z","rar","zip","tar","Compress-Archive","makecab") | where ProcessCommandLine has_any ("-p","-mx","-v","password","split") | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName | order by Timestamp asc
DeviceFileEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType == "FileCreated" | where FileName endswith_cs ".7z" or FileName endswith_cs ".zip" or FileName endswith_cs ".rar" or FileName endswith_cs ".tar.gz" or FileName endswith_cs ".cab" | summarize TotalSizeMB=sum(FileSize)/1048576, FileCount=count() by DeviceName, FolderPath, bin(Timestamp, 1h) | where TotalSizeMB > 100 | order by TotalSizeMB desc
index=sysmon EventCode=11 TargetFilename="*.7z" OR TargetFilename="*.rar" OR TargetFilename="*.zip" | stats count sum(FileSize) as total_bytes by Computer, TargetFilename, User | eval total_MB=round(total_bytes/1048576,2) | where total_MB > 50

Notes

  • Attackers frequently password-protect archives to evade DLP inspection. Look for the `-p` flag in 7z/rar command lines -- the password itself may be visible in the process command line.
  • Staging may occur over days or weeks. Widen the search window if initial results show only partial staging activity.