Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ArchiveStaging-ScheduledExfil.
Upgrade to ProDetect Scheduled Batch Exfiltration of Compressed Archive Staging in IBM QRadar
Double-extortion ransomware affiliates routinely stage stolen data into password-protected, multi-volume compressed archives before transferring it off-network, and increasingly schedule that transfer to run in a single batch during off-hours or maintenance windows to minimise the chance of SOC observation and to blend with legitimate scheduled backup jobs. LockBit and BlackCat/ALPHV affiliates have been documented staging data with commands such as `rar.exe a -v500m -hp<password>` (password-protected, 500MB split volumes) and then invoking a transfer tool (rclone, MEGAcmd, curl/SFTP) via a Scheduled Task created specifically for the operation, timed to run during low-traffic overnight hours. Cl0p's mass-exploitation campaigns (e.g., the 2023 MOVEit Transfer exploitation) similarly relied on automated, scripted batch retrieval of staged data at scale rather than interactive, ad hoc transfers, timing collection to minimise operational footprint. This detection targets the composite chain rather than any single step in isolation: (1) an archive utility creating multiple password-protected, size-limited volumes — the staging signature; (2) a Scheduled Task created around the same time, referencing either the archive path/extension or a known transfer tool — the scheduling signature; and (3) network egress from the same host at the scheduled time to a known exfiltration-capable destination. Correlating all three within a short window is a much higher-fidelity indicator of T1029 Scheduled Transfer than any one signal alone, since each individual step (archiving, task scheduling, network egress) has abundant legitimate uses on its own.
MITRE ATT&CK
- Tactic
- Exfiltration
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
hostname AS Hostname,
username AS User,
"Process Name" AS ProcessName,
"Command Line" AS CommandLine,
CASE
WHEN LOWER("Process Name") LIKE '%rar.exe%' OR LOWER("Process Name") LIKE '%7z.exe%' THEN 'ArchiveStaging'
WHEN LOWER("Process Name") LIKE '%schtasks.exe%' THEN 'ScheduledTaskCreate'
ELSE 'Other'
END AS Signal
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
(LOWER("Process Name") LIKE '%rar.exe%' AND (LOWER("Command Line") LIKE '%-v%' OR LOWER("Command Line") LIKE '%-hp%'))
OR (LOWER("Process Name") LIKE '%7z.exe%' AND (LOWER("Command Line") LIKE '%-v%' OR LOWER("Command Line") LIKE '%-p%'))
OR (LOWER("Process Name") LIKE '%schtasks.exe%' AND LOWER("Command Line") LIKE '%/create%'
AND (LOWER("Command Line") LIKE '%rclone%' OR LOWER("Command Line") LIKE '%.rar%' OR LOWER("Command Line") LIKE '%.7z%'))
)
AND starttime > NOW() - 86400000
ORDER BY hostname, starttime ASC
LIMIT 500 QRadar AQL query surfacing both the archive-staging and scheduled-task-creation signals from Windows Security Event Log and Sysmon sources, ordered by host and time so an analyst can visually confirm both signals occurring on the same host in sequence. Requires WinCollect or a Universal DSM exposing 'Process Name' and 'Command Line' custom event properties; pair with a QRadar building block/rule requiring both signals within a 24-hour window per hostname for automated correlation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate vendor data handoff via password-protected archives — whitelist known service accounts in a QRadar reference set
- Backup software scheduled tasks referencing archive utilities as part of routine jobs — exclude by known backup orchestrator process names
Other platforms for THREAT-ArchiveStaging-ScheduledExfil
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Archive Staging and Scheduled Off-Hours Exfiltration
Expected signal: Sysmon Event ID 1: rar.exe with -v and -hp flags; Sysmon Event ID 1 for schtasks.exe /create referencing curl.exe; Windows Security Event ID 4698 for the created task.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-ArchiveStaging-ScheduledExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (3)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.
- THREAT-CloudCLI-ScheduledExfilScheduled Transfer via Cloud Sync/Backup CLI ToolsUse for cloud CLI LOLBins — rclone, restic or azcopy launched by a scheduler rather than a human.
- THREAT-Exfil-ScheduledBulkTransferScheduled Off-Hours Bulk Data TransferUse for network-side detection — off-hours bulk-volume NetFlow, when you have no endpoint scheduler visibility.
- THREAT-Exfiltration-LinuxCronScheduledExfilScheduled Data Exfiltration via Linux Cron JobsUse for Linux hosts — cron/systemd-timer job creation correlated with auditd execution and outbound transfer.