some installers, debugging or support tools may create archive files in the temp folder. legitimate software may also use temporary folders for archiving purposes. review and apply filters as needed.

Techniques

T1560

Sample rules

Windows Archived Collected Data In TEMP Folder

source: splunk
technicques:
- T1560

Description

The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration. The detection focuses on monitoring specific directories, such as temp folders, for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying this pattern, security teams can quickly respond to potential data collection and exfiltration attempts, minimizing the risk of data breaches and improving overall threat detection.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
  max(_time) as lastTime
FROM datamodel=Endpoint.Filesystem where
  Filesystem.file_name IN ("*.zip", "*.rar", "*.tar", "*.7z")
  Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", "*\\Windows\\Temp\\*")
by Filesystem.action Filesystem.dest Filesystem.file_access_time
   Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
   Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size
   Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product

| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_archived_collected_data_in_temp_folder_filter`