Detects file transfers or mounting operations from remote hosts followed by write actions into a local staging directory, often using SMB or remote shell activity.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Share Access (DC0102) | WinEventLog:Microsoft-Windows-SMBClient/Security | EventID=31001 |
| Command Execution (DC0064) | WinEventLog:PowerShell | CommandLine=copy-item or robocopy from UNC path |
| Field | Description |
|---|---|
| StagingDirectory | Common directories such as C:\Temp, Downloads, or hidden folders used for remote staging |
| RemotePathPatterns | UNC paths like \\10.* or \\domain\share indicating lateral data staging |
| CopyToolPatterns | Usage of robocopy, xcopy, copy-item, or scheduled tasks performing cross-host copies |
Detects inbound SCP, rsync, or NFS mounts from remote systems followed by aggregation of files into known staging paths like /mnt/staging or /var/tmp.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Traffic Content (DC0085) | NSM:Flow | SSH logins or scp activity |
| Field | Description |
|---|---|
| RemoteHosts | Expected inbound transfer hosts to filter normal activity from staging behavior |
| MountTargets | Directory destinations used as centralized locations |
| TransferVolumeThreshold | Threshold of transferred files or data volume over time |
Detects rsync or scp inbound from other hosts that then aggregate content into /Users/Shared or /private/tmp, often involving compressed files or scripts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | exec logs |
| File Creation (DC0039) | macos:unifiedlog | file events |
| Network Traffic Content (DC0085) | NSM:Flow | remote login and transfer |
| Field | Description |
|---|---|
| StagingPaths | Monitored remote-to-local write destinations such as /Users/Shared |
| CompressionIndicators | Presence of .zip, .7z, or tar.gz indicating consolidation |
| TimeWindow | Temporal correlation of transfer and staging write operations |
Detects remote writes or snapshots mounted from other systems into a central ESXi VMFS path or NFS store used for remote staging of files before exfiltration.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | esxi:vmkernel | VMFS file creation |
| Network Traffic Content (DC0085) | esxi:vob | NFS/remote access logs |
| Command Execution (DC0064) | esxi:shell | invoked remote scripts (esxcli) |
| Field | Description |
|---|---|
| SnapshotFrequency | How often snapshots are mounted or restored from peer nodes |
| RemoteWriteVolume | Threshold for staging behavior vs. backup/operational activity |
| StorageMountPaths | Common local destinations for incoming data |
Detects remote write activity across cloud VMs or object storage buckets within the same region/account that correlate with data aggregation across hosts.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Storage Access (DC0025) | AWS:CloudTrail | PutObject, CopyObject |
| Network Traffic Content (DC0085) | AWS:VPCFlowLogs | Traffic between instances |
| Process Creation (DC0032) | esxi:hostd | process execution across cloud VM |
| Field | Description |
|---|---|
| BucketNamePatterns | Destination naming convention used for staging (e.g., temp-store) |
| IAMContext | IAM role or user performing multi-host write ops |
| TransferWindow | Burst of high-volume inter-VM transfers indicating staging |