Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ArchiveStaging-ScheduledExfil.
Upgrade to ProScheduled Transfer — Scheduled Batch Exfiltration of Compressed Archive Staging
Double-extortion ransomware affiliates routinely stage stolen data into password-protected, multi-volume compressed archives before transferring it off-network, and increasingly schedule that transfer to run in a single batch during off-hours or maintenance windows to minimise the chance of SOC observation and to blend with legitimate scheduled backup jobs. LockBit and BlackCat/ALPHV affiliates have been documented staging data with commands such as `rar.exe a -v500m -hp<password>` (password-protected, 500MB split volumes) and then invoking a transfer tool (rclone, MEGAcmd, curl/SFTP) via a Scheduled Task created specifically for the operation, timed to run during low-traffic overnight hours. Cl0p's mass-exploitation campaigns (e.g., the 2023 MOVEit Transfer exploitation) similarly relied on automated, scripted batch retrieval of staged data at scale rather than interactive, ad hoc transfers, timing collection to minimise operational footprint. This detection targets the composite chain rather than any single step in isolation: (1) an archive utility creating multiple password-protected, size-limited volumes — the staging signature; (2) a Scheduled Task created around the same time, referencing either the archive path/extension or a known transfer tool — the scheduling signature; and (3) network egress from the same host at the scheduled time to a known exfiltration-capable destination. Correlating all three within a short window is a much higher-fidelity indicator of T1029 Scheduled Transfer than any one signal alone, since each individual step (archiving, task scheduling, network egress) has abundant legitimate uses on its own.
What is THREAT-ArchiveStaging-ScheduledExfil Scheduled Batch Exfiltration of Compressed Archive Staging?
Scheduled Batch Exfiltration of Compressed Archive Staging (THREAT-ArchiveStaging-ScheduledExfil) is a sub-technique of Scheduled Transfer (T1029) in the MITRE ATT&CK framework. It maps to the Exfiltration tactic — the adversary is trying to steal data.
This page provides production-ready detection logic for Scheduled Batch Exfiltration of Compressed Archive Staging, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceNetworkEvents), Sysmon Event ID 1, 3, Windows Security Event ID 4698 (Scheduled Task Created). The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Exfiltration
let LookbackWindow = 24h;
let ArchiveTools = dynamic(["rar.exe", "winrar.exe", "7z.exe", "7za.exe"]);
let TransferTools = dynamic(["rclone.exe", "megacmd.exe", "curl.exe", "winscp.exe", "filezilla.exe", "psftp.exe"]);
// Signal 1: password-protected, split-volume archive creation (staging)
let ArchiveStaging = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName has_any (ArchiveTools)
| where ProcessCommandLine has_any ("-v", "-hp") or ProcessCommandLine matches regex @"-p\S+"
| extend Signal = "ArchiveStaging"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Signal;
// Signal 2: scheduled task creation referencing an archive path/extension or a transfer tool
let ScheduledTaskCreate = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create"
| where ProcessCommandLine has_any (TransferTools) or ProcessCommandLine has_any (".rar", ".7z", ".zip")
| extend Signal = "ScheduledTaskCreate"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Signal;
// Signal 3: subsequent network egress from a host that also has Signal 1 or 2, to a known exfil-capable destination
let StagingHosts = (ArchiveStaging | distinct DeviceName);
let TaskHosts = (ScheduledTaskCreate | distinct DeviceName);
let CandidateHosts = StagingHosts | union TaskHosts | distinct DeviceName;
let NetworkEgress = DeviceNetworkEvents
| where Timestamp > ago(LookbackWindow)
| where DeviceName in (CandidateHosts)
| where ActionType =~ "ConnectionSuccess"
| where RemoteUrl has_any ("mega.nz", "mega.io", "dropbox.com", "gofile.io", "transfer.sh", "sendspace.com")
or InitiatingProcessFileName has_any (TransferTools)
| extend Signal = "NetworkEgressPostStaging"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, FileName=InitiatingProcessFileName,
ProcessCommandLine=InitiatingProcessCommandLine, Signal;
union ArchiveStaging, ScheduledTaskCreate, NetworkEgress
| sort by DeviceName, Timestamp asc Correlates the full staged-and-scheduled exfiltration chain: (1) archive utilities (rar.exe, 7z.exe) invoked with split-volume (-v) and password-protection (-hp/-p) flags, the signature of ransomware-affiliate data staging; (2) schtasks.exe /create commands whose arguments reference a known transfer tool or an archive file extension, the signature of the scheduling step; and (3) network egress from any host already flagged by (1) or (2) toward known exfiltration-capable destinations or via known transfer tool processes. Reviewing all three signals together for the same DeviceName within the 24-hour window is the intended triage workflow — a single signal alone is common in legitimate IT operations.
Data Sources
Required Tables
False Positives
- IT operations creating password-protected split archives for legitimate large-file transfer to a vendor or partner (common for sending encrypted evidence bundles, log exports, or database dumps)
- Backup software that internally uses 7-Zip/WinRAR with split-volume options as part of its archival routine
- Scheduled Tasks created by legitimate automation (Ansible/SCCM/Intune-deployed scripts) that happen to reference file transfer tools for authorised data movement
- Scheduled off-hours batch jobs run by data engineering/analytics teams that both compress and transfer data as part of a documented ETL pipeline
Sigma rule & cross-platform mapping
The detection logic for Scheduled Batch Exfiltration of Compressed Archive Staging (THREAT-ArchiveStaging-ScheduledExfil) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for THREAT-ArchiveStaging-ScheduledExfil
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Archive Staging and Scheduled Off-Hours Exfiltration
Expected signal: Sysmon Event ID 1: rar.exe with -v and -hp flags; Sysmon Event ID 1 for schtasks.exe /create referencing curl.exe; Windows Security Event ID 4698 for the created task.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-ArchiveStaging-ScheduledExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (3)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.
- THREAT-CloudCLI-ScheduledExfilScheduled Transfer via Cloud Sync/Backup CLI ToolsUse for cloud CLI LOLBins — rclone, restic or azcopy launched by a scheduler rather than a human.
- THREAT-Exfil-ScheduledBulkTransferScheduled Off-Hours Bulk Data TransferUse for network-side detection — off-hours bulk-volume NetFlow, when you have no endpoint scheduler visibility.
- THREAT-Exfiltration-LinuxCronScheduledExfilScheduled Data Exfiltration via Linux Cron JobsUse for Linux hosts — cron/systemd-timer job creation correlated with auditd execution and outbound transfer.