Detects staging of sensitive files into temporary or public directories, compression with 7zip/WinRAR, or batch copy prior to exfiltration.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| StagingDirectoryList | Temp folders or user profile staging directories |
| CompressionToolList | 7z.exe, rar.exe, zip.exe paths |
| TimeWindow | Temporal bounds for detecting batch staging activities |
Detects script or user activity copying files to a central temp or /mnt directory followed by archive/compression utilities.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:SYSCALL | creat |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| StagingDirectoryList | e.g., /tmp/, /var/tmp/, /mnt/ |
| ArchivingCommandPatterns | grep for 'tar', 'zip', 'gzip', '7z' |
| UserContext | Interactive or elevated shells running archiving commands |
Detects files collected into user temp or shared directories followed by compression with ditto, zip, or custom scripts.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | macos:unifiedlog | file events |
| Process Creation (DC0032) | macos:unifiedlog | exec logs |
| Field | Description |
|---|---|
| CompressionUtilityList | e.g., 'ditto', 'zip', 'tar' |
| SharedDirectoryIndicators | e.g., /Users/Shared/ or /private/tmp/ |
| ScriptInvocationContext | osascript or Terminal automation by non-GUI processes |
Detects virtual disk expansion or file copy operations to cloud buckets or mounted volumes from isolated instances.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Storage Access (DC0025) | AWS:CloudTrail | PutObject, CopyObject |
| File Access (DC0055) | gcp:audit | Write operations to storage |
| Field | Description |
|---|---|
| CloudBucketList | Staging bucket or mount point for data |
| InstanceTag | Behavior restricted to specific ephemeral instances |
| ObjectWriteThreshold | Volume or size of files pushed in burst |
Detects snapshots or data stored in VMFS volumes from root CLI or remote agents.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | esxi:vmkernel | VMFS access logs |
| Command Execution (DC0064) | esxi:shell | snapshot create/copy, esxcli |
| Field | Description |
|---|---|
| SnapshotFrequency | Number of snapshots in short time period |
| AccessUserList | Non-admins or automation accounts writing to datastores |
| CLIContext | Manual or unexpected API calls triggering snapshots |