some installers, debugging or support tools may create archive files in the temp folder. legitimate software may also use temporary folders for archiving purposes. review and apply filters as needed.

Techniques

T1560

Sample rules

Windows Archived Collected Data In TEMP Folder

source: splunk
technicques:
- T1560

Description

The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration. The detection focuses on monitoring specific directories, such as temp folders, for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying this pattern, security teams can quickly respond to potential data collection and exfiltration attempts, minimizing the risk of data breaches and improving overall threat detection.

Detection logic


| tstats `security_content_summariesonly` 
  count min(_time) as firstTime 
  max(_time) as lastTime 
FROM datamodel=Endpoint.Filesystem where 
  Filesystem.file_name IN ("*.zip", "*.rar", "*.tar", "*.7z") 
  Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", "*\\Windows\\Temp\\*")
by Filesystem.action Filesystem.dest Filesystem.file_access_time 
   Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time 
   Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size 
   Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product 

| `drop_dm_object_name(Filesystem)` 

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)` 

| `windows_archived_collected_data_in_temp_folder_filter`