Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ArchiveStaging-ScheduledExfil.

Upgrade to Pro
THREAT-ArchiveStaging-ScheduledExfil Google Chronicle · YARA-L

Detect Scheduled Batch Exfiltration of Compressed Archive Staging in Google Chronicle

Double-extortion ransomware affiliates routinely stage stolen data into password-protected, multi-volume compressed archives before transferring it off-network, and increasingly schedule that transfer to run in a single batch during off-hours or maintenance windows to minimise the chance of SOC observation and to blend with legitimate scheduled backup jobs. LockBit and BlackCat/ALPHV affiliates have been documented staging data with commands such as `rar.exe a -v500m -hp<password>` (password-protected, 500MB split volumes) and then invoking a transfer tool (rclone, MEGAcmd, curl/SFTP) via a Scheduled Task created specifically for the operation, timed to run during low-traffic overnight hours. Cl0p's mass-exploitation campaigns (e.g., the 2023 MOVEit Transfer exploitation) similarly relied on automated, scripted batch retrieval of staged data at scale rather than interactive, ad hoc transfers, timing collection to minimise operational footprint. This detection targets the composite chain rather than any single step in isolation: (1) an archive utility creating multiple password-protected, size-limited volumes — the staging signature; (2) a Scheduled Task created around the same time, referencing either the archive path/extension or a known transfer tool — the scheduling signature; and (3) network egress from the same host at the scheduled time to a known exfiltration-capable destination. Correlating all three within a short window is a much higher-fidelity indicator of T1029 Scheduled Transfer than any one signal alone, since each individual step (archiving, task scheduling, network egress) has abundant legitimate uses on its own.

MITRE ATT&CK

Tactic
Exfiltration

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule scheduled_archive_exfiltration {
  meta:
    author = "df00tech"
    description = "Detects archive staging paired with scheduled task creation referencing a transfer tool, indicating scheduled batch exfiltration"
    severity = "HIGH"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1029"
    threat_actors = "LockBit, BlackCat (ALPHV), Cl0p"
    reference = "https://attack.mitre.org/techniques/T1029/"

  events:
    $stage.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($stage.target.process.file.full_path, `(?i)(rar|7z)(\.exe)?$`)
    re.regex($stage.target.process.command_line, `(?i)(-v\d|-hp|-p\S)`)

    $task.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($task.target.process.file.full_path, `(?i)schtasks\.exe$`)
    re.regex($task.target.process.command_line, `(?i)/create`)
    re.regex($task.target.process.command_line, `(?i)(rclone|megacmd|\.rar|\.7z)`)

    $hostname = $stage.principal.hostname
    $hostname = $task.principal.hostname

  match:
    $hostname over 24h

  condition:
    $stage and $task
}
critical severity medium confidence

Chronicle YARA-L 2.0 rule correlating two PROCESS_LAUNCH events on the same hostname within a 24-hour window: a password-protected/split-volume archive utility invocation, and a subsequent schtasks.exe /create referencing a transfer tool or archive file. Requiring the join on $hostname is what gives this rule higher precision than either signal alone.

Data Sources

Google Chronicle SIEMChronicle UDM (Unified Data Model)Chronicle Forwarder (Windows Events)

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives & Tuning

  • Approved vendor data handoff via password-protected archives and a scheduled transfer task — maintain a Chronicle reference list of authorised service accounts and exclude via principal.user.userid
  • Backup software orchestrating archive-then-schedule jobs as routine operations

Other platforms for THREAT-ArchiveStaging-ScheduledExfil


Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Archive Staging and Scheduled Off-Hours Exfiltration

    Expected signal: Sysmon Event ID 1: rar.exe with -v and -hp flags; Sysmon Event ID 1 for schtasks.exe /create referencing curl.exe; Windows Security Event ID 4698 for the created task.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-ArchiveStaging-ScheduledExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections