Identify Data Staging and Compression Activity
Detect evidence of data staging -- where the attacker collected, compressed, or encrypted files prior to exfiltration. Staging typically involves archive creation in temp directories, renamed extensions, or staging on a network share before transfer.
Actions
- 1
Search for archive creation using common staging tools: `DeviceProcessEvents | where FileName in~ ("7z.exe","rar.exe","winrar.exe","zip.exe","tar.exe","makecab.exe") | project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName`.
- 2
Hunt for renamed archive tools or LOLBins used for compression: check for `compact.exe /c`, `certutil -encode`, or PowerShell `Compress-Archive` commands across EDR telemetry.
- 3
Identify large file creation events in staging directories: `DeviceFileEvents | where FolderPath matches regex @"(?i)(\\temp\\|\\staging\\|\\public\\|C:\\PerfLogs)" | where FileSize > 50000000 | project Timestamp, DeviceName, FileName, FolderPath, FileSize`.
- 4
Run Velociraptor artifact `Windows.Search.FileFinder` to locate recently created archives (.7z, .zip, .rar, .tar.gz) across all in-scope hosts: filter by create timestamp within the investigation window.
- 5
Correlate staging activity with subsequent network transfers: pivot from the staging host and timestamp to outbound connections within the next 1-4 hours in firewall/proxy logs.
- 6
Check ShellBags for evidence of folder browsing on file shares and data repositories: parse `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` and `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` with `SBECmd.exe -f NTUSER.DAT --csv .`. ShellBags persist even after folders are deleted and reveal the exact directory structure the attacker browsed.
- 7
Analyze Jump Lists for recently accessed files and directories: `JLECmd.exe -d C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations --csv .`. Jump Lists show files opened via Explorer or Office and persist across reboots, revealing what documents the attacker accessed before staging.
Queries
DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ProcessCommandLine has_any ("7z","rar","zip","tar","Compress-Archive","makecab") | where ProcessCommandLine has_any ("-p","-mx","-v","password","split") | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName | order by Timestamp ascDeviceFileEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType == "FileCreated" | where FileName endswith_cs ".7z" or FileName endswith_cs ".zip" or FileName endswith_cs ".rar" or FileName endswith_cs ".tar.gz" or FileName endswith_cs ".cab" | summarize TotalSizeMB=sum(FileSize)/1048576, FileCount=count() by DeviceName, FolderPath, bin(Timestamp, 1h) | where TotalSizeMB > 100 | order by TotalSizeMB desc
index=sysmon EventCode=11 TargetFilename="*.7z" OR TargetFilename="*.rar" OR TargetFilename="*.zip" | stats count sum(FileSize) as total_bytes by Computer, TargetFilename, User | eval total_MB=round(total_bytes/1048576,2) | search total_MB>50
index=sysmon EventCode=1 (Image="*\\7z.exe" OR Image="*\\rar.exe" OR Image="*\\winrar.exe" OR Image="*\\tar.exe" OR Image="*\\makecab.exe") earliest=T_START latest=T_END | stats count by Computer, Image, CommandLine, User, ParentImage | sort -count
Notes
Attackers frequently password-protect archives to evade DLP inspection. Look for the `-p` flag in 7z/rar command lines -- the password itself may be visible in the process command line.
Staging may occur over days or weeks. Widen the search window if initial results show only partial staging activity.
Use the $MFT to identify bulk file copies into staging directories: `MFTECmd.exe -f "$MFT" --csv .`. Filter for clusters of FileCreated timestamps in temp/staging paths. The $MFT preserves records of deleted files, so even if the attacker cleaned up the staging directory, the evidence persists.