DET0261 Detection of Local Data Staging Prior to Exfiltration
| Item |
Value |
| ID |
DET0261 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1074.001 (Local Data Staging)
Analytics
Windows
AN0724
Detects file reads across locations followed by writes to temp or staging directories, often compressed or encrypted, indicating local staging behavior.
Log Sources
Mutable Elements
| Field |
Description |
| StagingDirList |
Paths such as C:\Temp, C:\Windows\Tasks, etc. |
| ArchivingToolPatterns |
Matches to 7z.exe, rar.exe, zip.exe, or custom scripts. |
| TimeWindow |
How long to correlate file reads followed by compression. |
Linux
AN0725
Detects aggregation of files from different directories into /tmp, /mnt, or user-specified directories with archiving tools like tar or gzip.
Log Sources
Mutable Elements
| Field |
Description |
| StagingDirs |
e.g., /tmp, /var/tmp, custom user dirs |
| ArchiveUtilities |
tar, gzip, zip, 7z |
| UserThreshold |
Number of files or size written in short time |
macOS
AN0726
Detects staged data aggregated in /Users/Shared, /private/tmp with compression tools like ditto or zip, initiated via Terminal or AppleScript.
Log Sources
Mutable Elements
| Field |
Description |
| StagingTargets |
Shared dirs commonly abused for local collection |
| CompressionBinaries |
zip, tar, ditto |
| TimeWindow |
Seconds/minutes between source file read and output staging write |
ESXi
AN0727
Detects local staging behavior via snapshot creation or files written into VMFS partitions by scripts or unauthorized shell access.
Log Sources
Mutable Elements
| Field |
Description |
| SnapshotThreshold |
Rapid creation or deletion of snapshots |
| CLIInvoker |
Unexpected CLI/script invocation outside maintenance windows |
| VMFSWriteRate |
Volume of data written locally in short time |