EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Windows Archived Collected Data In TEMP Folder

The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration. The detection focuses on monitoring specific directories, such as temp folders, for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying this pattern, security teams can quickly respond to potential data collection and exfiltration attempts, minimizing the risk of data breaches and improving overall threat detection.

MITRE ATT&CK

T1560
collection

Detection Query

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
  max(_time) as lastTime
FROM datamodel=Endpoint.Filesystem where
  Filesystem.file_name IN ("*.zip", "*.rar", "*.tar", "*.7z")
  Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", "*\\Windows\\Temp\\*")
by Filesystem.action Filesystem.dest Filesystem.file_access_time
   Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
   Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size
   Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_archived_collected_data_in_temp_folder_filter`

Author

Teoderick Contreras, Splunk

Created

2026-03-10

Data Sources

Sysmon EventID 11

References

Tags

Braodo StealerAPT37 Rustonotto and FadeStealer
Raw Content
name: Windows Archived Collected Data In TEMP Folder
id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe
version: 8
date: '2026-03-10'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
data_source:
    - Sysmon EventID 11
description: The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration. The detection focuses on monitoring specific directories, such as temp folders, for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying this pattern, security teams can quickly respond to potential data collection and exfiltration attempts, minimizing the risk of data breaches and improving overall threat detection.
search: |
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
      max(_time) as lastTime
    FROM datamodel=Endpoint.Filesystem where
      Filesystem.file_name IN ("*.zip", "*.rar", "*.tar", "*.7z")
      Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", "*\\Windows\\Temp\\*")
    by Filesystem.action Filesystem.dest Filesystem.file_access_time
       Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
       Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size
       Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
    | `drop_dm_object_name(Filesystem)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_archived_collected_data_in_temp_folder_filter`
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
known_false_positives: |
    Some installers, debugging or support tools may create archive files in the temp folder.
    Legitimate software may also use temporary folders for archiving purposes.
    Review and apply filters as needed.
references:
    - https://x.com/suyog41/status/1825869470323056748
    - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d
drilldown_searches:
    - name: View the detection results for "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: An archive file [$file_name$] was created in a temporary folder on [$dest$].
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Braodo Stealer
        - APT37 Rustonotto and FadeStealer
    asset_type: Endpoint
    mitre_attack_id:
        - T1560
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/archived_in_temp_dir/braodo_zip_temp.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog