Rule : Data Staging in C:\ProgramData followed by Outbound File Transfer Activity "filezilla,psftp,winscp"
Data Staging File Zilla Ps FTP Winscp
Query
// Correlate staging with outbound connections (SFTP/FTP/FileZilla) in next 5 hours
let fileWrites = DeviceFileEvents
| where FolderPath has_cs "\\ProgramData\\"
and FolderPath !startswith @"C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\"
| where FileName == "shares.txt" or FileName endswith ".txt"
| project DeviceId, DeviceName, FileName, FilePath=FolderPath, FileWriteTime=Timestamp, ReportId;
let outbounds = DeviceNetworkEvents
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in ("filezilla.exe","psftp.exe","sftp.exe","winscp.exe","pscp.exe","lftp.exe")
| project DeviceId, RemoteIP, RemoteUrl, RemotePort, NetTimestamp=Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine;
fileWrites
| join kind=inner (outbounds) on DeviceId
| where NetTimestamp between (FileWriteTime .. FileWriteTime + 5h)
| summarize first_write=min(FileWriteTime), last_network_activity=max(NetTimestamp), connections=count(), distinct_remote_ips=dcount(RemoteIP)
by DeviceId, DeviceName, FileName, FilePath
| where connections > 0
| project first_write, last_network_activity, DeviceName, FileName, connections, distinct_remote_ipsAbout this query
Explanation
This query is designed to detect suspicious activity on a computer system that may indicate data theft. Here's a simplified breakdown of what it does:
-
Purpose: The query aims to identify when data is being prepared (staged) on a computer and then sent out (exfiltrated) using specific file transfer programs.
-
How it Works:
- It looks for files being written to a specific folder on the computer (
C:\ProgramData\), which attackers often use to store data they want to steal. - It specifically checks for text files like
shares.txt, which might contain sensitive information. - It then checks if, within the next 5 hours, the computer makes outbound connections to the internet using known file transfer programs (like FileZilla, WinSCP, etc.).
- It looks for files being written to a specific folder on the computer (
-
Detection Logic:
- The query monitors for file writes in the specified folder, excluding certain legitimate directories.
- It also monitors outbound network connections made by specific file transfer programs to public IP addresses.
- It correlates these two activities (file writing and network connections) if they occur on the same device within a 5-hour window.
-
Output:
- The query summarizes the earliest file write time, the latest network activity time, the number of connections made, and the number of unique external destinations contacted.
- It flags devices where these activities are detected, indicating potential data exfiltration.
-
Tags and Techniques:
- The query is tagged with terms related to data exfiltration and staging.
- It references specific MITRE ATT&CK techniques that describe how attackers might collect and transfer data.
Overall, this query helps security teams identify and investigate potential data breaches by correlating file staging and outbound data transfer activities.
Details

Ali Hussein
Released: November 11, 2025
Tables
DeviceFileEventsDeviceNetworkEvents
Keywords
DeviceFileEventsNetworkFolderPathNameIdTimestampReportRemoteIPTypeInitiatingProcessUrlPortNetCommandLine
Operators
lethas_cs!startswith==endswithprojectinjoin kind=innerbetweensummarizeminmaxcountdcountbywhere>