- Home
- SIEM use cases
- Data staging for exfiltration
Data staging for exfiltration
In this page
- Threat snapshot
- How this attack works
- Attack chain
- Real-world scenario
- Business impact: What can go wrong
- Indicators of compromise and detection signals
- Prerequisites for detection using Log360
- Detecting data staging for exfiltration using Log360
- Investigating an alert
- Responding and remediating
- False positive guidance
- Hardening and prevention
Threat snapshot
Before data leaves an environment, it is almost always staged. Attackers who have collected files of interest from across a network do not typically transfer each file individually over a raw connection. They compress the data, often with a password, to reduce transfer size, evade content inspection, and protect the payload from interception during transit. The tool most commonly chosen for this step is 7-Zip, a widely deployed, freely available archive utility that supports strong encryption, command-line operation, and a broad range of archive formats.
Two observable behaviours in this staging process are particularly significant as detection signals. The first is 7-Zip being used to compress files with .dmp extensions, which are memory dump files. Compressing dump files is a near-exclusive indicator of credential material being prepared for exfiltration: attackers who have dumped LSASS or produced a process memory dump use 7-Zip to package that dump for transfer. The second is 7-Zip being used to extract a password-protected archive, which indicates that an attacker is unpacking a pre-staged toolset or payload that was delivered to the compromised host inside an encrypted container. Log360 covers both behaviours through dedicated rules, providing detection at two distinct points in the data staging lifecycle.
At a glance
| Category | Application and Data Threat |
|---|---|
| SOC maturity level | L2 - Investigation |
| MITRE ATT&CK tactic | TA0010 - Exfiltration |
| MITRE ATT&CK technique | T1560.001 – Archive Collected Data: Archive via Utility |
| Severity | Critical |
| Affected platforms | Windows |
| Detection rules | 7Zip Compressing Dump Files Password Protected Compressed File Extraction Via 7Zip |
| Compliance mapping | NIST SP 800-53 SI-4, PCI DSS 10.6, ISO 27001 A.12.4, SOC 2 CC7.2, HIPAA 164.312(b) |
How this attack works
Data staging via 7-Zip occurs at two points in the attack lifecycle, each associated with a distinct detection rule.
7-Zip compressing dump files
After an attacker has dumped LSASS memory, a process memory image, or a database credential file, the resulting dump file is typically large and in a format that cannot be exfiltrated discreetly without packaging. The attacker uses 7-Zip to compress and optionally encrypt these dump files before transfer. A representative command looks like:
7z.exe a -p<password> archive.7z C:\Windows\Temp\lsass.dmp
7z.exe a -p<password> -mhe=on dump.7z *.dmp
The -p flag sets an archive password, encrypting the contents so that network inspection tools cannot scan the archive for known credential patterns. The -mhe flag encrypts the file headers as well, hiding even the file names within the archive. The resulting encrypted archive can then be transferred via HTTPS, SMB, or any other channel without its contents being inspectable by a DLP or network monitoring tool.
The .dmp file extension is the detection anchor. Memory dump files have narrow legitimate uses outside of software debugging and diagnostics. An archive operation targeting .dmp files from a non-developer endpoint, particularly from paths such as Windows Temp, AppData, or the current user's home directory, is a high-confidence indicator of credential staging.
Password-protected compressed file extraction via 7-Zip
The second behaviour is the reverse operation: extracting a password-protected archive that was delivered to the compromised host. This pattern is associated with two distinct scenarios. In the first, the attacker delivered their toolset inside an encrypted archive to bypass email filtering, DLP inspection, and antivirus scanning of the delivered file. Extracting the archive on the target host is the final delivery step before the tools are used. In the second scenario, the attacker is unpacking a pre-staged data collection package that was transferred from another compromised host, consolidating data from multiple sources before a single exfiltration event. The command pattern is:
7z.exe e archive.7z -p<password> -o<output_path>
7z.exe x -p<password> payload.zip -oC:\Users\Public\
The -p flag combined with the extraction command (e or x) identifies a password-protected extraction. Unencrypted archive extraction is common and unremarkable. Password-protected extraction is far less common in routine business operations and significantly narrows the set of legitimate explanations.
Attack chain
The table below maps each stage of a data staging and exfiltration attack to the corresponding MITRE ATT&CK technique.
| Stage | What happens | MITRE ID |
|---|---|---|
| Initial access and persistence | Attacker establishes a foothold on one or more endpoints and maintains access long enough to complete collection and staging. | T1078 / T1547 |
| Credential access | Attacker dumps LSASS process memory, produces a MiniDump of a credentialed process, or exports database credential files. Dump files are written to a local path. | T1003.001 |
| Collection | Attacker collects documents, database files, configuration files, and other data of interest from the local host and from accessible network shares. | T1005 / T1039 |
| Staging: dump file compression | 7-Zip used to compress dump files, often with a password and header encryption, packaging credential material for exfiltration while protecting it from content inspection. | T1560.001 |
| Staging: tool delivery extraction | Password-protected archive containing attack tools or consolidated data packages is extracted on the target host using 7-Zip with the -p flag. | T1027 |
| Exfiltration | Staged archives are transferred to attacker-controlled infrastructure via HTTPS, SMB, cloud storage upload, or a C2 channel. The encrypted archive bypasses content inspection on the egress path. | T1048 / T1041 |
Real-world scenario
A pharmaceutical company runs a research network hosting clinical trial data, compound libraries, and regulatory submission documents. A threat actor who has been operating inside the network for 11 days using a compromised research scientist's account has identified the file shares containing the most valuable data and has already collected approximately 40 GB of documents to a staging directory on the compromised workstation.
The attacker also ran a PowerShell MiniDump script against LSASS earlier in the session, producing a file named svchost_dump.dmp in the Windows Temp directory. They now invoke 7z.exe from the command line with the a flag, the -p flag with a long random password, the -mhe=on flag to encrypt file headers, and specify svchost_dump.dmp as the input file and exfil01.7z as the output archive. They then run a second 7-Zip command archiving the staged document collection into exfil02.7z with the same password.
Log360 fires the 7Zip Compressing Dump Files alert within 60 seconds of the first archive command. The SOC analyst reviewing the alert notes the .dmp source file, the password flag, and the output path in the Windows Temp directory. Simultaneously, a second alert fires for the document collection archiving. The host is isolated within four minutes. The two staged archives are found in the Temp directory, confirming the credential dump and document collection have been packaged but not yet transferred. Forensic analysis of the LSASS dump confirms that credentials for the research database, the regulatory submissions portal, and the VPN were present in memory at the time of the dump.
Why this happens
7-Zip is one of the most widely deployed archive utilities in enterprise environments. Its presence on endpoints is unremarkable, and its use for routine file compression is a daily occurrence. Attackers specifically choose 7-Zip for staging because its encryption is strong, its command-line interface is consistent and well-documented, its password protection defeats most network DLP inspections, and the resulting archives are compatible with extraction on any platform. Without rules specifically targeting the combination of 7-Zip with dump file inputs or password-protected extraction operations, the staging activity blends into normal archive tool usage.
Business impact: What can go wrong
Detection of data staging via 7-Zip indicates that collection has already occurred. If the staging is not interrupted before exfiltration, the consequences depend on what was staged:
- Credential exfiltration via dump files: an encrypted archive containing an LSASS dump gives the attacker offline access to every credential hash and plaintext password present in the memory of the dumped process at capture time. These credentials are usable for re-entry, lateral movement, and access to cloud and VPN services indefinitely.
- Data theft at scale: archiving collected documents and database exports before exfiltration is the standard final step before large-scale data theft. The size of the archive and the source file paths reveal the scope of what has been collected and which data categories are at risk.
- Ransomware double extortion: many ransomware operators use 7-Zip to stage and exfiltrate data before deploying the encryptor, creating double extortion leverage. Detection of the staging step provides the last opportunity to interrupt the campaign before both the data theft and the encryption are complete.
- Regulatory breach notification: data staged for exfiltration from systems hosting personal data, payment records, health information, or intellectual property may trigger breach notification obligations under GDPR, HIPAA, or PCI DSS as soon as the data is confirmed as having been accessed and collected, regardless of whether exfiltration has been confirmed.
- Competitive and reputational damage: in sectors such as pharmaceuticals, legal services, and financial services, staged data frequently includes proprietary research, client documents, or trading information. Exfiltration of this material causes competitive damage that extends well beyond the immediate incident cost.
- Delayed discovery: password-protected archives transferred over HTTPS cannot be inspected by network DLP tools. If the staging is not detected before transfer, the exfiltration event may only be discovered retroactively through network flow volume anomalies rather than content inspection, significantly limiting the ability to scope the breach.
Indicators of compromise and detection signals
| Signal type | What to look for |
|---|---|
| Process: dump file compression | 7z.exe or 7za.exe executed with the a (add to archive) command and arguments referencing files with .dmp extensions, or with wildcard patterns such as *.dmp. The presence of -p (password) or -mhe (encrypt headers) flags alongside dump file inputs is the highest-confidence combination. |
| Process: password-protected extraction | 7z.exe or 7za.exe executed with the e (extract) or x (extract with full paths) command and the -p flag specifying a password. Extraction of password-protected archives is the primary indicator for the second rule. |
| Output file location | Archive output paths in Temp, AppData, user profile directories, Public folders, or any user-writable path that is not a documented file archive location. Legitimate archive operations typically target documented storage paths, not temporary directories. |
| Input file characteristics | Source files for the archive operation: .dmp files (memory dumps), .dit files (Active Directory database copies), .ntds files, database export files (.sql, .bak, .mdf), or large collections of documents from sensitive network share paths. |
| Event IDs | 4688 (Process Create): 7z.exe or 7za.exe with archive or extraction arguments including file extension patterns and password flags. Sysmon Event ID 1 for enriched process creation context including parent process chain and full command line. |
| File creation | Sysmon Event ID 11 (File Create): .7z, .zip, or other archive files created in Temp, AppData, or user-writable paths following 7-Zip execution. Large archive files created in short succession from a single host are a supporting indicator. |
| Subsequent network activity | Outbound large file transfers or HTTPS uploads from the affected host in the period following 7-Zip archive creation. Volume anomalies in egress traffic are a supporting indicator of exfiltration following successful staging. |
Prerequisites for detection using Log360
Before the 7-Zip data staging rules can fire reliably, ensure the following are in place:
- Windows Process Creation auditing with command-line logging is enabled on all monitored endpoints, generating Event ID 4688 with the full ProcessCommandLine field populated. Both rules depend on the 7-Zip command-line arguments being visible in the process creation event. Without command-line logging, 7z.exe execution will appear in the log but the archive target, output path, and password flags that constitute the detection anchor will not be present.
- Sysmon is deployed on all monitored endpoints with a configuration capturing Event ID 1 (Process Create) and Event ID 11 (File Create). Sysmon provides enriched process context including the parent process chain, which identifies whether 7-Zip was invoked interactively, from a script, or from a process associated with a malware payload. Event ID 11 captures archive file creation events that confirm the staging operation completed.
- Endpoint agents or Windows Event Forwarding are configured to forward Security and Sysmon logs from all monitored endpoints to Log360. Data staging occurs on individual endpoints before exfiltration. Coverage must include all workstations and servers where sensitive data is accessible.
- The location and version of 7-Zip in your environment is known. 7-Zip may be installed to different paths depending on the installation method: Program Files, Program Files (x86), user AppData directories for per-user installs, or portable versions dropped directly to Temp or user-writable paths by an attacker. Verify the rule covers both 7z.exe and 7za.exe (the standalone console version) and that it is not inadvertently scoped to a single installation path.
Note: The 7Zip Compressing Dump Files rule is specifically sensitive to the combination of 7-Zip and .dmp file inputs. Memory dump files have very narrow legitimate uses on production endpoints: crash dump collection by the Windows Error Reporting service and authorised diagnostic memory acquisition. If your endpoints have Windows Error Reporting enabled and generate crash dumps in the default path, verify that the WER dump path is not being mistakenly included in archive operations that fire the rule. Most attacker-staged dump files will be in Temp or user-writable paths rather than the system crash dump location.
Detecting data staging for exfiltration using Log360
Once log collection is configured, follow these steps to enable and tune detection in Log360:
Step 1: Enable the detection rules
Navigate to Security > Manage Rules > Rule Library in the Log360 console. Install and enable both rules: 7Zip Compressing Dump Files and Password Protected Compressed File Extraction Via 7Zip. Configure an alert profile for the same.
Step 2: Read the alert
The alert will display the hostname, the account that ran 7-Zip, the full command line including input file paths, output paths, and the presence of password and header encryption flags, the parent process that invoked 7-Zip, and the timestamp. For the dump file compression rule, review the input file path: a .dmp file in Temp, AppData, or a user profile path alongside a password flag is confirmed high-severity. For the password-protected extraction rule, review the parent process and output path: an extraction from a suspicious parent process to a user-writable path is high-confidence, while extraction from a signed software installer to a documented application directory is likely legitimate.
Investigating an alert
When either 7-Zip data staging rule fires, an L2 analyst should work through the following steps:
- Identify the specific rule that fired and its implication. The 7Zip Compressing Dump Files rule indicates that credential material or process memory has already been captured and is being packaged. The Password Protected Compressed File Extraction rule may indicate tool delivery or data consolidation. Each warrants a slightly different initial investigation focus: dump compression leads immediately to a credential scope assessment, while password-protected extraction leads to identification of what was extracted and from where.
- Review the full command line from the alert. For the dump compression rule, identify the specific .dmp files being archived, their paths, and the output archive path. For the extraction rule, identify the source archive, its path, the output directory, and whether the source archive arrived recently on the host. Query Log360 for the file creation event of the source archive to determine when it arrived and from where.
- Check the parent process chain. Open the Incident Workbench and trace the process tree back from 7z.exe to identify what invoked it. An interactive shell (cmd.exe or PowerShell) invoked from a standard user's session during business hours is lower risk than 7-Zip being invoked from a script, a scheduled task, or a process in AppData or Temp. A malware process in the parent chain is a confirmed incident.
- Assess what the dump files contain. If the 7Zip Compressing Dump Files rule fired, determine the origin of the .dmp files being archived. Query Log360 for Sysmon Event ID 11 (File Create) records for .dmp files on the same host in the period before the 7-Zip operation. Identify the process that created each dump file. An LSASS dump, a process MiniDump, or an Active Directory database file indicates credential material. A Windows Error Reporting crash dump in the WER default path is likely benign.
- Check whether exfiltration has already occurred. Query Log360 for network connections from the affected host in the period following the 7-Zip operation. Look for large outbound transfers via HTTPS or SMB to external or unrecognised destinations. If the archive files are no longer present in the output path after the 7-Zip operation, they may have already been transferred. Check network flow data for a transfer volume consistent with the archive size.
- Verify with the account owner. For named user accounts, contact the account owner to confirm whether they intentionally ran 7-Zip with these arguments. Developers, security researchers, and power users sometimes compress diagnostic files. If the account owner cannot confirm the activity, treat the event as confirmed malicious.
Escalation trigger
Escalate immediately to L3 if the dump compression rule fired with LSASS dump, MiniDump, or Active Directory database files as the input; if the parent process of 7-Zip is unrecognised, in a user-writable path, or associated with a known malware family; if archive output files are no longer present on the host following the operation, suggesting transfer has already occurred; or if the password-protected extraction rule fired and the extracted content includes executable files, scripts, or tools in a user-writable directory.
Responding and remediating
Immediate containment
- Isolate the affected host from the network immediately if either rule is confirmed as attacker-initiated. Network isolation prevents exfiltration of any staged archives that have not yet been transferred and terminates any active C2 channel that may be directing the staging activity.
- Do not delete the staged archive files before forensic preservation. The archive contents, even if password-protected, are forensic evidence that establishes what data was collected and what credentials were compromised. Preserve the files before any remediation.
- If LSASS dump files were archived, initiate mandatory credential rotation immediately for all accounts whose credentials may have been present in LSASS memory on the affected host at the time of the dump. This includes all accounts that had active sessions on the host during the infection window, not only the compromised user's account.
Forensic preservation
- Export the Windows Security event log and Sysmon operational log from the affected host covering the full period from the first unusual event. These logs contain the process creation events for both the credential dumping step and the 7-Zip staging step, establishing the complete collection and staging sequence.
- Preserve copies of the staged archive files before removing them. If the archives are password-protected, document the password from the command-line arguments visible in the process creation log. With the password, the archives can be decrypted for forensic analysis to confirm what data was staged.
- If exfiltration is suspected, query network flow logs for outbound transfer volumes from the affected host on the day of the incident. Document the volume, destination, and timing of any large outbound transfers. This information is required for the breach notification assessment.
Eradication and recovery
- Remove the staged archives and any dump files from the affected host. Remove the 7-Zip binary if it was dropped by an attacker rather than installed through a documented process. Remove any malware identified in the parent process chain.
- Rotate credentials for all accounts exposed during the collection and staging window. For LSASS-derived credentials, this includes all accounts with active sessions on the affected host, service accounts that ran processes on the host, and any cached credentials present in Windows Credential Manager.
- Scan all other endpoints for the same IOCs: the archive file names and hashes, the source dump file paths, and the 7-Zip command-line patterns. Data staging campaigns frequently affect multiple hosts, with collection and staging occurring on several endpoints before a consolidated exfiltration from a single staging host.
False positive guidance
7-Zip is a widely deployed tool and its usage is common in enterprise environments. The following scenarios may produce false positive alerts:
- Developer or diagnostic use of dump files: software developers and systems engineers may generate and compress dump files as part of debugging or diagnostic workflows. A developer who has captured a process dump for debugging and then archives it for transmission to a vendor will trigger the dump compression rule. Verify that the user is in a developer or engineering role, the dump file was created by a diagnostic tool rather than a memory acquisition tool, and the output archive destination is a documented file share or ticketing system attachment path.
- Security testing and red team operations: authorised penetration testers and internal red teams use 7-Zip to stage and compress credential dump outputs as part of their testing methodology. Cross-reference with the penetration test schedule and scope documentation before treating the alert as malicious. Document the test activity in the incident record.
- Software deployment via encrypted archives: some software vendors deliver updates or installers as password-protected archives that are extracted by a deployment agent on the endpoint. These will trigger the password-protected extraction rule. Verify that the source archive matches a known software delivery mechanism, the parent process is a documented deployment tool, and the extraction destination is a documented software installation path.
- Backup and archiving scripts: IT teams that use 7-Zip as part of backup or file archiving workflows may include password protection in their scripts for security purposes. These will generate regular alerts from the same host at consistent times. Identify the backup script, verify the source files are documented backup targets, and create a scoped exclusion for the specific script invocation pattern.
Key differentiator
Legitimate 7-Zip operations involving dump files come from developers or diagnostic tools, target process dump files created by recognised diagnostic utilities, and transfer the output to documented destinations such as ticketing systems, vendor support portals, or documented archive shares. Attacker-initiated dump compression targets memory dump files in Temp, AppData, or the Windows crash dump path that were created by memory acquisition tools such as procdump.exe, comsvcs.dll, or PowerShell MiniDump scripts. For password-protected extraction, legitimate operations originate from documented software installers or deployment agents and extract to documented application directories. Attacker operations originate from unrecognised processes and extract to user-writable paths outside documented application directories.
Hardening and prevention
The following controls reduce the risk of successful data staging and exfiltration via 7-Zip in your environment:
- Enable Windows Defender Credential Guard on all endpoints to prevent LSASS credential material from being accessible to usermode processes. If credentials cannot be extracted from LSASS memory, the dump files created in the first stage of credential staging contain no extractable credential material, reducing the value of the staging operation.
- Block execution of procdump.exe, comsvcs.dll MiniDump, and other LSASS access tools via AppLocker or WDAC policies on endpoints where they are not required for documented operational purposes. Preventing the creation of LSASS dump files eliminates the source material that the dump compression rule targets.
- Deploy network DLP controls that alert on large outbound transfers over HTTPS to destinations not in your known egress allow list. While encrypted archives cannot be content-inspected, volume anomalies in outbound HTTPS traffic from endpoints that do not normally generate large uploads are a reliable exfiltration indicator.
- Restrict execution of 7-Zip and other archive utilities to documented use contexts via application control policies. If 7-Zip is not required on servers or certain workstation types, block its execution entirely on those hosts. On hosts where it is required, consider alerting on any 7-Zip invocation that includes password flags as an additional detection layer independent of the Log360 rules.
- Implement egress filtering that restricts which processes are permitted to make large outbound network connections. Allowing only documented business applications and browser processes to make outbound HTTPS connections limits the channels available for archive exfiltration.
- Enable PowerShell Script Block Logging and transcription logging on all endpoints. Attackers who use PowerShell to invoke 7-Zip or to perform the preceding dump steps will generate Script Block Log entries that provide the full command content even when the process creation command-line arguments are partially obfuscated.
