KQL Search

Query Details

HomeAI ToolsDevice Query

Data Staging File Zilla Ps FTP Winscp

Query

# Rule : Data Staging in `C:\ProgramData` followed by Outbound File Transfer Activity "filezilla,psftp,winscp"

## Description
This detection rule identifies potential **data staging followed by exfiltration** from compromised systems. It correlates file-write events under `C:\ProgramData\` (where adversaries often stage reconnaissance results or sensitive data) with **subsequent outbound network connections** to public IP addresses using FTP/SFTP clients such as **FileZilla**, **WinSCP**, or **psftp**.

Attackers commonly:
1. Run discovery commands (`net view`, `Get-SmbShare`, `Get-ADComputer`, etc.)  
2. Store results in `C:\ProgramData\shares.txt` or similar `.txt` files.  
3. Shortly afterward, use an SFTP/FTP client to transfer these staged files externally.  

This rule detects that pattern within a **5-hour correlation window** between the file staging and outbound data transfer.

## Detection Logic
- **Monitors:**  
  - File writes to `C:\ProgramData\shares.txt` and other `.txt` files (excluding legitimate Defender ATP download directory).  
  - Outbound network events from known SFTP/FTP clients (`filezilla.exe`, `psftp.exe`, `sftp.exe`, `winscp.exe`, `pscp.exe`, `lftp.exe`).  
- **Correlates:** file-write and outbound events occurring on the same device (`DeviceId`) within a **5-hour window**.  
- **Summarizes:**  
  - Earliest file write (`first_write`)  
  - Latest network event (`last_network_activity`)  
  - Count of total connections (`connections`)  
  - Distinct external destinations (`distinct_remote_ips`)  
- **Flags:** hosts where outbound connections to public IPs followed file staging activity.

## Tags
- Exfiltration  
- Collection  
- Data Staging  
- File Transfer  
- MITRE ATT&CK:  
  - **T1005** – Data from Local System  
  - **T1041** – Exfiltration Over C2 Channel  
  - **T1537** – Transfer Data to Cloud Account  

## Search Query
```kql
// Correlate staging with outbound connections (SFTP/FTP/FileZilla) in next 5 hours
let fileWrites = DeviceFileEvents
| where FolderPath has_cs "\\ProgramData\\" 
  and FolderPath !startswith @"C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\"
| where FileName == "shares.txt" or FileName endswith ".txt"
| project DeviceId, DeviceName, FileName, FilePath=FolderPath, FileWriteTime=Timestamp, ReportId;
let outbounds = DeviceNetworkEvents
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in ("filezilla.exe","psftp.exe","sftp.exe","winscp.exe","pscp.exe","lftp.exe")
| project DeviceId, RemoteIP, RemoteUrl, RemotePort, NetTimestamp=Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine;
fileWrites
| join kind=inner (outbounds) on DeviceId
| where NetTimestamp between (FileWriteTime .. FileWriteTime + 5h)
| summarize first_write=min(FileWriteTime), last_network_activity=max(NetTimestamp), connections=count(), distinct_remote_ips=dcount(RemoteIP)
   by DeviceId, DeviceName, FileName, FilePath
| where connections > 0
| project first_write, last_network_activity, DeviceName, FileName, connections, distinct_remote_ips

Explanation

This query is designed to detect suspicious activity on a computer system that may indicate data theft. Here's a simplified breakdown of what it does:

  1. Purpose: The query aims to identify when data is being prepared (staged) on a computer and then sent out (exfiltrated) using specific file transfer programs.

  2. How it Works:

    • It looks for files being written to a specific folder on the computer (C:\ProgramData\), which attackers often use to store data they want to steal.
    • It specifically checks for text files like shares.txt, which might contain sensitive information.
    • It then checks if, within the next 5 hours, the computer makes outbound connections to the internet using known file transfer programs (like FileZilla, WinSCP, etc.).

  3. Detection Logic:

    • The query monitors for file writes in the specified folder, excluding certain legitimate directories.
    • It also monitors outbound network connections made by specific file transfer programs to public IP addresses.
    • It correlates these two activities (file writing and network connections) if they occur on the same device within a 5-hour window.

  4. Output:

    • The query summarizes the earliest file write time, the latest network activity time, the number of connections made, and the number of unique external destinations contacted.
    • It flags devices where these activities are detected, indicating potential data exfiltration.

  5. Tags and Techniques:

    • The query is tagged with terms related to data exfiltration and staging.
    • It references specific MITRE ATT&CK techniques that describe how attackers might collect and transfer data.

Overall, this query helps security teams identify and investigate potential data breaches by correlating file staging and outbound data transfer activities.

Details

Ali Hussein profile picture

Ali Hussein

Released: November 11, 2025

Tables

DeviceFileEventsDeviceNetworkEvents

Keywords

DeviceFileEventsDeviceNetworkEventsFolderPathFileNameDeviceIdDeviceNameFilePathTimestampReportIdRemoteIPTypeInitiatingProcessFileNameRemoteIPRemoteUrlRemotePortNetTimestampInitiatingProcessCommandLine

Operators

lethas_cs!startswith==endswithprojectinjoin kind=innerbetweensummarizeminmaxcountdcountbywhere>

Actions