Sensitive File Access followed by Compression

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/01/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a sensitive file is accessed followed by the immediate creation of a compressed file in a 
 11suspicious location. This activity can indicate an attempt to collect sensitive local data and stage it 
 12for exfiltration.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.file-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Sensitive File Access followed by Compression"
 19risk_score = 73
 20rule_id = "a0fbd7a9-1923-4e05-92df-b484168f17bc"
 21severity = "high"
 22tags = [
 23    "Domain: Endpoint",
 24    "OS: macOS",
 25    "Use Case: Threat Detection",
 26    "Tactic: Collection",
 27    "Data Source: Elastic Defend",
 28    "Resources: Investigation Guide"
 29]
 30type = "eql"
 31note = """## Triage and analysis
 32
 33> **Disclaimer**:
 34> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 35
 36### Investigating Sensitive File Access followed by Compression
 37
 38Data exfiltration is a critical phase of many attack campaigns where threat actors collect and stage sensitive data for transfer out of the environment. On macOS, attackers commonly target high-value files such as SSH keys, AWS credentials, browser cookies, and login keychains. This detection rule identifies a behavioral pattern where a process accesses sensitive files and subsequently creates compressed archives, which is a hallmark of data staging activity prior to exfiltration.
 39
 40### Possible investigation steps
 41
 42- Review the process.entity_id and process.name fields to identify the application that accessed sensitive files and created the compressed archive.
 43- Examine the file.path fields in both events to determine which specific sensitive files were accessed and where the archive was created.
 44- Analyze the process.parent.executable and process.command_line to understand how the process was launched and whether it originated from a suspicious source.
 45- Check for network connection events from the same process or host shortly after the compression activity, as this may indicate attempted exfiltration.
 46- Investigate the user.name associated with the activity to determine if the behavior is consistent with their role and normal operations.
 47- Review the destination path of the compressed file to assess whether it was placed in a location commonly used for staging, such as /Users/Shared or temporary directories.
 48- Correlate with other security alerts on the same host to identify if this is part of a broader attack chain.
 49
 50### False positive analysis
 51
 52- Legitimate backup applications may access sensitive files and create compressed archives as part of scheduled backup operations. Verify the process against known backup tools like Time Machine or third-party backup solutions.
 53- System administrators performing manual archiving of configuration files or credentials for secure storage may trigger this rule. Confirm with IT operations if such activities were planned.
 54- Development workflows may involve compressing SSH keys or credentials for transfer between development environments. Review with development teams before escalating.
 55- Some applications may legitimately compress browser data or credentials during migrations or exports. Verify the application's purpose and user intent.
 56
 57### Response and remediation
 58
 59- Immediately isolate the affected macOS system from the network to prevent any pending data exfiltration.
 60- Identify and quarantine the compressed archive file to prevent it from being transferred or deleted by the attacker.
 61- Conduct a thorough review of the files that were accessed and compressed to assess the scope of potential data exposure.
 62- Rotate all credentials that may have been compromised, including SSH keys, AWS access keys, API tokens, and any passwords stored in keychains or browsers.
 63- Perform a forensic analysis of the system to identify the initial access vector and any persistence mechanisms.
 64- Review network logs and proxy data to determine if any data was successfully exfiltrated prior to detection.
 65- Escalate to the incident response team for further investigation if the activity appears to be part of a coordinated attack campaign.
 66"""
 67query = '''
 68sequence by process.entity_id with maxspan=30s
 69  [file where host.os.type == "macos" and event.action == "open" and 
 70    not file.name in~ ("System.keychain", "login.keychain-db", "preferences.plist", "com.apple.TimeMachine.plist")]
 71  [file where host.os.type == "macos" and event.action == "modification" and 
 72    file.extension in ("zip", "gzip", "gz") and
 73    file.path like~ ("/Users/Shared/*", "/Library/WebServer/*", "/Users/*/Library/WebServer/*",
 74                     "/Library/Graphics/*", "/Users/*/Library/Graphics/*", "/Library/Fonts/*",
 75                     "/Users/*/Library/Fonts/*", "/private/var/root/Library/HTTPStorages/*",
 76                     "/tmp/*", "/var/tmp/*", "/private/tmp/*") and
 77    not file.path like~ ("/Library/Logs/CrashReporter/*", "/private/tmp/publish.*")]
 78'''
 79
 80[[rule.threat]]
 81framework = "MITRE ATT&CK"
 82
 83  [rule.threat.tactic]
 84  name = "Collection"
 85  id = "TA0009"
 86  reference = "https://attack.mitre.org/tactics/TA0009/"
 87
 88  [[rule.threat.technique]]
 89  name = "Data Staged"
 90  id = "T1074"
 91  reference = "https://attack.mitre.org/techniques/T1074/"
 92
 93    [[rule.threat.technique.subtechnique]]
 94    name = "Local Data Staging"
 95    id = "T1074.001"
 96    reference = "https://attack.mitre.org/techniques/T1074/001/"
 97
 98  [[rule.threat.technique]]
 99  name = "Archive Collected Data"
100  id = "T1560"
101  reference = "https://attack.mitre.org/techniques/T1560/"
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105
106  [rule.threat.tactic]
107  name = "Exfiltration"
108  id = "TA0010"
109  reference = "https://attack.mitre.org/tactics/TA0010/"