AN0040: Analytic 0040
Detects staging of sensitive files into temporary or public directories, compression with 7zip/WinRAR, or batch copy prior to exfiltration.
Analyst context for executives and security teams
AN0040 is a Windows detection analytic focused on a common pre-exfiltration pattern: sensitive files being collected into temporary or public locations, compressed with tools such as 7zip or WinRAR, or copied in batches before removal from the environment. For leaders, the value is not just detecting compression; it is validating whether the organization can see the staging activity that often happens before data loss becomes visible through network or cloud egress controls.
Executive priority
Prioritize this analytic as part of data-loss, incident response, and SOC readiness validation for Windows environments. It helps answer whether defenders can identify suspicious file aggregation before exfiltration is completed. This matters for business continuity, breach response timelines, audit evidence around monitoring, and control investment decisions for endpoint logging, data protection, and alert triage. Because no tactic mapping or relationships are supplied, treat it as a detection-readiness item rather than proof of specific adversary behavior or campaign exposure.
Technical view
SOC and detection engineering teams should validate visibility into Windows file staging behaviors: creation or movement of sensitive files into temporary or public directories, bulk copy patterns, and archive creation using compression utilities such as 7zip or WinRAR. Since the official detection logic is not provided, teams should build or review local analytics around endpoint file events, process execution, command-line context where available, archive file creation, parent-child process relationships, and unusual destination paths. Incident responders should use this signal as context for possible collection prior to exfiltration, then correlate with user identity, host role, recent access to sensitive repositories, and any outbound transfer evidence.
Likely telemetry
- Windows endpoint file creation, modification, copy, and move events
- Process execution telemetry for compression and copy utilities
- Command-line arguments where collected
- Archive file creation events, especially in temporary or public directories
- User, host, and process context for file staging activity
Detection direction
- Validate that Windows endpoints collect enough file and process telemetry to observe staging into temporary or public directories.
- Tune for combinations of behaviors rather than compression alone: sensitive source files, unusual staging paths, batch copy activity, and archive creation in close time proximity.
- Account for legitimate administrative, backup, software packaging, and user archiving workflows to reduce false positives.
- Correlate alerts with user role, host criticality, file sensitivity, and subsequent outbound transfer activity.
- Review blind spots where command-line logging, archive creation visibility, or endpoint coverage is incomplete.
Mitigation priorities
- Confirm endpoint monitoring coverage on Windows systems that store or access sensitive data.
- Apply least-privilege access controls so users and processes cannot broadly read sensitive files unnecessarily.
- Restrict or monitor use of compression and bulk copy utilities where business context supports it.
- Harden temporary and public directory usage through policy, monitoring, and cleanup controls.
- Pair endpoint staging detections with data loss prevention, egress monitoring, and incident response playbooks.
Analyst notes and limits
This object is a detection analytic, not a technique or adversary procedure. The supplied ATT&CK fields identify Windows as the platform and describe the behavior, but provide no tactic mapping, detection pseudocode, related techniques, groups, software, or campaigns. The strongest use is as a practical coverage test for Windows endpoint visibility into pre-exfiltration file staging and compression.
No official detection content, relationships, tactics, aliases, labels, or supporting procedure examples were supplied. The take therefore cannot assert active exploitation, adversary attribution, specific data sources beyond what is reasonably implied by the description, or guaranteed detection coverage. Local environment baselines are required to distinguish malicious staging from legitimate compression, backup, administration, or user file-management activity.
Analytic 0040
Detects staging of sensitive files into temporary or public directories, compression with 7zip/WinRAR, or batch copy prior to exfiltration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7f60a75bf5b4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0040Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.