Skip to content

Docs

Guides

Changelog

CtrlK
Docs

Advanced Knowledge

Data Staging and Exfiltration Hunting

Data Staging and Exfiltration Hunting

Hunt for data staging, compression, and exfiltration activity before and during data theft.

Last updated: February 2026

Purpose and Scope

Before exfiltrating data, attackers typically stage, compress, and sometimes encrypt files. Detecting this pre-exfiltration activity provides an opportunity to stop data theft before it completes. This playbook covers hunting for data staging and exfiltration behaviors.

Prerequisites

  • Endpoint telemetry: Process execution, file system activity, command line logging
  • Network logs: Proxy, firewall, and flow data with volume metrics
  • DLP alerts: Data loss prevention signals if available
  • Cloud storage logs: Access patterns for SharePoint, OneDrive, cloud apps
  • Baseline data: Normal data transfer volumes per user and system

Detection Goals

Identify indicators of data theft including:

  • Large scale file access or collection
  • Archive creation (zip, rar, 7z) in unusual locations
  • Compression of sensitive directories
  • Staging data in temporary locations
  • Encryption before exfiltration
  • Large outbound transfers to unusual destinations
  • Cloud storage abuse for exfiltration

Data Staging Indicators

Archive Creation

Attackers commonly use built in and third party tools to compress data:

  • Windows: Compress-Archive PowerShell cmdlet, tar, compact.exe
  • Third party: 7z.exe, rar.exe, WinRAR
  • Custom tools: Malware with built in compression

Watch for archive creation in:

  • Temp directories (C:\Temp, C:\Windows\Temp, %TEMP%)
  • Recycle bin
  • User profile hidden folders
  • Unusual system directories

Sensitive Directory Access

Bulk access to sensitive locations:

  • Network shares containing confidential data
  • Email archives (PST, OST files)
  • Database exports
  • Source code repositories
  • Financial or HR directories

Staging Location Patterns

Common staging locations to monitor:

  • C:\ProgramData subdirectories
  • C:\Users\Public
  • Root of drives other than C:
  • Recycle bin contents
  • AppData\Local\Temp

Hunting Queries

Archive Creation in Suspicious Locations

Splunk (Sysmon):

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11
| where match(TargetFilename, "\.(zip|rar|7z|tar|gz)$")
| where match(TargetFilename, "(?i)(temp|tmp|recycle|public|programdata)")
| stats count by Computer, User, TargetFilename, Image
| sort -count

Compression Tool Execution

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1
| where match(Image, "(?i)(7z|rar|winrar|compress)")
  OR match(CommandLine, "(?i)(compress-archive|tar\s+-c|makecab)")
| table _time, Computer, User, Image, CommandLine, ParentImage

PowerShell Archive Commands

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1
Image=*powershell*
| where match(CommandLine, "(?i)(compress-archive|zip|out-file.*\.(zip|7z))")
| table _time, Computer, User, CommandLine

Bulk File Access

Detect enumeration of many files:

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11
| where match(TargetFilename, "(?i)\.(docx|xlsx|pdf|pptx|txt)$")
| bucket _time span=5m
| stats count as file_count, dc(TargetFilename) as unique_files by _time, Computer, User
| where unique_files > 50

Large File Creation

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11
| where match(TargetFilename, "\.(zip|rar|7z|tar)$")
| lookup file_size_lookup filename as TargetFilename OUTPUT size_bytes
| where size_bytes > 100000000
| table _time, Computer, User, TargetFilename, size_bytes

Exfiltration Detection

Network Volume Anomalies

Splunk:

index=proxy
| stats sum(bytes_out) as upload_bytes by user, dest_host
| where upload_bytes > 50000000
| sort -upload_bytes
| table user, dest_host, upload_bytes

Unusual Upload Destinations

index=proxy method=POST
| stats sum(bytes_out) as bytes, dc(user) as users by dest_host
| where bytes > 10000000 AND users < 3
| lookup domain_category dest_host OUTPUT category
| where category IN ("uncategorized", "file-sharing", "cloud-storage")
| table dest_host, bytes, users, category

Cloud Storage Exfiltration

Watch for unusual uploads to sanctioned cloud services:

index=cloud_audit service IN ("sharepoint", "onedrive", "google_drive")
action IN ("FileUploaded", "FileSyncUploadedFull")
| stats sum(file_size) as total_bytes, count by user
| where total_bytes > 100000000
| sort -total_bytes

DNS Exfiltration

Data encoded in DNS queries:

index=dns
| eval subdomain_length = len(mvindex(split(query, "."), 0))
| where subdomain_length > 30
| stats count, avg(subdomain_length) as avg_len by src_ip, domain
| where count > 100 AND avg_len > 40
| table src_ip, domain, count, avg_len

Exfiltration Channels

Common Methods

  • HTTP/HTTPS: POST requests to attacker or cloud infrastructure
  • Cloud storage: Dropbox, Google Drive, OneDrive, Mega
  • Email: Attachments sent to external addresses
  • FTP/SFTP: File transfer protocols
  • DNS: Data encoded in query subdomains
  • ICMP: Data hidden in ping packets
  • Physical media: USB drives (requires endpoint monitoring)

Evasion Techniques

  • Splitting data across multiple small transfers
  • Using legitimate cloud services
  • Encrypting data before exfiltration
  • Exfiltrating during business hours to blend in
  • Using protocols that bypass inspection (DNS, ICMP)

Correlation Opportunities

Combine staging and exfiltration signals:

  • Archive creation followed by large outbound transfer
  • Sensitive file access followed by cloud upload
  • Compression tool execution followed by network spike
  • Encryption commands followed by data transfer

Validation and False Positives

  • Legitimate backups: IT performing scheduled backups
  • Software distribution: Deploying packages to endpoints
  • Developer activity: Building and deploying applications
  • Business file sharing: Legitimate large file transfers
  • Email archiving: Compliance or migration projects

Correlate with change management and business context. Validate unusual activity with asset owners.

Escalation Guidance

Escalate when:

  • Staging behavior correlates with unauthorized network access
  • Compression of clearly sensitive data by unauthorized user
  • Large transfers to unrecognized cloud or external destinations
  • Activity associated with known compromised account
  • DLP alerts correlated with staging or transfer activity

References

  • MITRE ATT&CK: Collection (TA0009)
  • MITRE ATT&CK: Exfiltration (TA0010)
  • MITRE ATT&CK: Archive Collected Data (T1560)
  • MITRE ATT&CK: Data Staged (T1074)
  • CISA: Data Exfiltration Detection
  • SANS: Detecting Data Exfiltration

Previous

C2 and Beaconing Detection

Next

Suspicious Domain Playbook

Was this helpful?

Logo

Block phishing attacks instantly.

Built by RedPhish LLC. All Rights Reserved. Copyright 2025.

Terms & Conditions

Privacy Policy

Compare

Guardio AlternativeMalwarebytes AlternativeNorton AlternativeAvast AlternativeBitdefender Alternative

Resources

DocumentationBlogPricingFAQ