Detect Local Data Staging in IBM QRadar
Adversaries may stage collected data in a central location or directory on the local system prior to exfiltration. Data may be kept in separate files or combined into one file through archiving techniques. Adversaries commonly use temp directories, hidden folders, or application data paths to aggregate stolen files, credentials, screenshots, keylogger output, and memory dumps before transferring them out. Interactive command shells (cmd.exe, bash) and scripting languages are frequently used to copy and consolidate data into staging locations.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1074 Data Staged
- Sub-technique
- T1074.001 Local Data Staging
- Canonical reference
- https://attack.mitre.org/techniques/T1074/001/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
username,
sourceip,
QIDNAME(qid) AS event_name,
"Process Name" AS process_name,
"Command" AS command_line,
"File Path" AS file_path,
CATEGORYNAME(category) AS category_name,
SUM(CASE WHEN
LOWER("Command") MATCHES '(xcopy|robocopy|\\bcopy\\b|\\bmove\\b|cp\\s|mv\\s)'
AND LOWER("Command") MATCHES '(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\windows\\\\temp\\\\)'
THEN 1 ELSE 0 END) AS bulk_copy_score,
SUM(CASE WHEN
LOWER("File Path") MATCHES '(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\)'
AND LOWER("File Path") MATCHES '(\.zip|\.rar|\.7z|\.tar|\.gz|\.tmp|\.dat|\.db|\.bak)$'
THEN 1 ELSE 0 END) AS archive_creation_score,
SUM(CASE WHEN
"Command" MATCHES '(>>|>\\s+)'
AND LOWER("Command") MATCHES '(\\\\temp\\\\|\\\\tmp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\)'
THEN 1 ELSE 0 END) AS redirect_score,
SUM(CASE WHEN
LOWER("Command") MATCHES '(xcopy|robocopy|7z\.exe|winrar|compact\\s|tar\\s)'
THEN 1 ELSE 0 END) AS staging_tool_score
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) IN (12, 13, 352)
AND devicetime > NOW() - 86400000
AND (
LOWER("Command") MATCHES '(xcopy|robocopy|\\bcopy\\b|zip|7z|rar|tar|compact)'
OR LOWER("File Path") MATCHES '(\.zip|\.rar|\.7z|\.tar|\.gz|\.tmp|\.dat)$'
OR "Command" MATCHES '(>>|>\\s+)'
)
AND NOT LOWER(COALESCE("Process Name", "")) MATCHES '(msmpeng|svchost|tiworker|wuauclt|msiexec|onedrive|teams|slack)'
GROUP BY event_time, log_source, username, sourceip, event_name, process_name, command_line, file_path, category_name
HAVING (bulk_copy_score + archive_creation_score + redirect_score + staging_tool_score) > 0
ORDER BY event_time DESCDetects T1074.001 Local Data Staging using QRadar AQL against Windows Security and Sysmon log sources. Scores each event across four behavioral indicators (bulk copy, archive creation, output redirect, staging tool usage) and surfaces events with any non-zero score, filtered against known-good system processes.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment tools (SCCM, Intune, WSUS) copy MSI packages and cab files into ProgramData and Windows\Temp during patch cycles, generating high volumes of matching events during maintenance windows
- Log aggregation and SIEM forwarding agents commonly archive and stage collected log files in temp directories before shipping to centralized logging infrastructure
- Automated database backup routines write .bak and .db files to staging directories as part of scheduled backup jobs, especially during overnight backup windows
Other platforms for T1074.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stage Files to Temp Directory Using CMD Copy
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and '%TEMP%\staging_test'. Sysmon Event ID 11: Multiple FileCreate events in the staging directory. Security Event ID 4688 (if command-line auditing enabled) showing the copy commands.
- Test 2Stage Collected Output Using Append Redirect Operator
Expected signal: Sysmon Event ID 1: Multiple Process Create events for cmd.exe with CommandLine containing '>>' and the staging file path in %TEMP%. Sysmon Event ID 11: FileCreate/FileModify events for collected_data.tmp. The file grows with each command execution.
- Test 3Stage Files with Hostname-Username Naming Convention
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing %COMPUTERNAME%_%USERNAME%.txt. Sysmon Event ID 11: FileCreate event in %TEMP% with filename matching Hostname_Username.txt pattern. PowerShell ScriptBlock Log Event ID 4104 with full script content.
- Test 4Stage Data in Windows Registry (DarkWatchman Pattern)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe. Sysmon Event ID 13 (RegistryValueSet): Registry value CachedData set under HKCU\SOFTWARE\Microsoft\Notepad with large Base64-encoded data. DeviceRegistryEvents: RegistryValueSet event visible in MDE.
References (13)
- https://attack.mitre.org/techniques/T1074/001/
- https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
- https://www.malwarebytes.com/blog/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure
- https://www.mandiant.com/resources/roadsweep-ransomware-zerocleare-wiper
- https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day
- https://securelist.com/my-name-is-dtrack/93338/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event
- https://www.secureworks.com/research/bronze-union
- https://attack.mitre.org/groups/G0027/
- https://attack.mitre.org/groups/G0053/
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1074.001 including response playbook, investigation guide, and atomic red team tests.