1. Home
  2. Detection Strategies
  3. Detection of Local Data Staging Prior to Exfiltration

Detection of Local Data Staging Prior to Exfiltration

Technique Detected:  Local Data Staging | T1074.001

ID: DET0261
Domains: Enterprise
Analytics: AN0724, AN0725, AN0726, AN0727
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0724

Detects file reads across locations followed by writes to temp or staging directories, often compressed or encrypted, indicating local staging behavior.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Access (DC0055) WinEventLog:Security EventCode=4663
Mutable Elements
Field Description
StagingDirList Paths such as C:\Temp, C:\Windows\Tasks, etc.
ArchivingToolPatterns Matches to 7z.exe, rar.exe, zip.exe, or custom scripts.
TimeWindow How long to correlate file reads followed by compression.

AN0725

Detects aggregation of files from different directories into /tmp, /mnt, or user-specified directories with archiving tools like tar or gzip.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
StagingDirs e.g., /tmp, /var/tmp, custom user dirs
ArchiveUtilities tar, gzip, zip, 7z
UserThreshold Number of files or size written in short time

AN0726

Detects staged data aggregated in /Users/Shared, /private/tmp with compression tools like ditto or zip, initiated via Terminal or AppleScript.

Log Sources
Data Component Name Channel
File Access (DC0055) macos:unifiedlog file events
Process Creation (DC0032) macos:unifiedlog exec logs
Mutable Elements
Field Description
StagingTargets Shared dirs commonly abused for local collection
CompressionBinaries zip, tar, ditto
TimeWindow Seconds/minutes between source file read and output staging write

AN0727

Detects local staging behavior via snapshot creation or files written into VMFS partitions by scripts or unauthorized shell access.

Log Sources
Data Component Name Channel
Snapshot Creation (DC0057) esxi:vmkernel snapshot create/write events
Command Execution (DC0064) esxi:shell CLI usage logs
Mutable Elements
Field Description
SnapshotThreshold Rapid creation or deletion of snapshots
CLIInvoker Unexpected CLI/script invocation outside maintenance windows
VMFSWriteRate Volume of data written locally in short time