Sensitive Files Compression
Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/22"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials
13and system configurations.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Sensitive Files Compression"
20references = [
21 "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html",
22]
23risk_score = 47
24rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "query"
29
30query = '''
31event.category:process and host.os.type:linux and event.type:start and
32 process.name:(zip or tar or gzip or hdiutil or 7z) and
33 process.args:
34 (
35 /root/.ssh/id_rsa or
36 /root/.ssh/id_rsa.pub or
37 /root/.ssh/id_ed25519 or
38 /root/.ssh/id_ed25519.pub or
39 /root/.ssh/authorized_keys or
40 /root/.ssh/authorized_keys2 or
41 /root/.ssh/known_hosts or
42 /root/.bash_history or
43 /etc/hosts or
44 /home/*/.ssh/id_rsa or
45 /home/*/.ssh/id_rsa.pub or
46 /home/*/.ssh/id_ed25519 or
47 /home/*/.ssh/id_ed25519.pub or
48 /home/*/.ssh/authorized_keys or
49 /home/*/.ssh/authorized_keys2 or
50 /home/*/.ssh/known_hosts or
51 /home/*/.bash_history or
52 /root/.aws/credentials or
53 /root/.aws/config or
54 /home/*/.aws/credentials or
55 /home/*/.aws/config or
56 /root/.docker/config.json or
57 /home/*/.docker/config.json or
58 /etc/group or
59 /etc/passwd or
60 /etc/shadow or
61 /etc/gshadow
62 )
63'''
64
65
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1552"
70name = "Unsecured Credentials"
71reference = "https://attack.mitre.org/techniques/T1552/"
72[[rule.threat.technique.subtechnique]]
73id = "T1552.001"
74name = "Credentials In Files"
75reference = "https://attack.mitre.org/techniques/T1552/001/"
76
77
78
79[rule.threat.tactic]
80id = "TA0006"
81name = "Credential Access"
82reference = "https://attack.mitre.org/tactics/TA0006/"
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1560"
87name = "Archive Collected Data"
88reference = "https://attack.mitre.org/techniques/T1560/"
89[[rule.threat.technique.subtechnique]]
90id = "T1560.001"
91name = "Archive via Utility"
92reference = "https://attack.mitre.org/techniques/T1560/001/"
93
94
95
96[rule.threat.tactic]
97id = "TA0009"
98name = "Collection"
99reference = "https://attack.mitre.org/tactics/TA0009/"
References
-
We discuss TeamTNT’s latest attack, which involves the use of the group’s own IRC (Internet Relay Chat) bot. The IRC bot is called TNTbotinger and is capable of distributed denial of service (DDoS).
Read More
Related rules
- Modification of OpenSSH Binaries
- Potential Linux Credential Dumping via Unshadow
- Potential OpenSSH Backdoor Logging Activity
- Potential Shadow File Read via Command Line Utilities
- Potential Unauthorized Access via Wildcard Injection Detected