Skip to content

DET0014 Detection of Data Staging Prior to Exfiltration

Item Value
ID DET0014
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1074 (Data Staged)

Analytics

Windows

AN0040

Detects staging of sensitive files into temporary or public directories, compression with 7zip/WinRAR, or batch copy prior to exfiltration.

Log Sources
Data Component Name Channel
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
StagingDirectoryList Temp folders or user profile staging directories
CompressionToolList 7z.exe, rar.exe, zip.exe paths
TimeWindow Temporal bounds for detecting batch staging activities

Linux

AN0041

Detects script or user activity copying files to a central temp or /mnt directory followed by archive/compression utilities.

Log Sources
Data Component Name Channel
File Creation (DC0039) auditd:SYSCALL creat
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
StagingDirectoryList e.g., /tmp/, /var/tmp/, /mnt/
ArchivingCommandPatterns grep for ‘tar’, ‘zip’, ‘gzip’, ‘7z’
UserContext Interactive or elevated shells running archiving commands

macOS

AN0042

Detects files collected into user temp or shared directories followed by compression with ditto, zip, or custom scripts.

Log Sources
Data Component Name Channel
File Access (DC0055) macos:unifiedlog file events
Process Creation (DC0032) macos:unifiedlog exec logs
Mutable Elements
Field Description
CompressionUtilityList e.g., ‘ditto’, ‘zip’, ‘tar’
SharedDirectoryIndicators e.g., /Users/Shared/ or /private/tmp/
ScriptInvocationContext osascript or Terminal automation by non-GUI processes

IaaS

AN0043

Detects virtual disk expansion or file copy operations to cloud buckets or mounted volumes from isolated instances.

Log Sources
Data Component Name Channel
Cloud Storage Access (DC0025) AWS:CloudTrail GetObject, CopyObject
File Access (DC0055) gcp:audit Write operations to storage
Mutable Elements
Field Description
CloudBucketList Staging bucket or mount point for data
InstanceTag Behavior restricted to specific ephemeral instances
ObjectWriteThreshold Volume or size of files pushed in burst

ESXi

AN0044

Detects snapshots or data stored in VMFS volumes from root CLI or remote agents.

Log Sources
Data Component Name Channel
File Access (DC0055) esxi:vmkernel VMFS access logs
Command Execution (DC0064) esxi:shell snapshot create/copy, esxcli
Mutable Elements
Field Description
SnapshotFrequency Number of snapshots in short time period
AccessUserList Non-admins or automation accounts writing to datastores
CLIContext Manual or unexpected API calls triggering snapshots