Data Compressed

Aug 12, 2024 · attack.exfiltration attack.t1560.001 ·

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Sigma rule (View on GitHub)

 1title: Data Compressed
 2id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
 3status: test
 4description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md
 7author: Timur Zinniatullin, oscd.community
 8date: 2019-10-21
 9modified: 2023-07-28
10tags:
11    - attack.exfiltration
12    - attack.t1560.001
13logsource:
14    product: linux
15    service: auditd
16detection:
17    selection1:
18        type: 'execve'
19        a0: 'zip'
20    selection2:
21        type: 'execve'
22        a0: 'gzip'
23        a1: '-k'
24    selection3:
25        type: 'execve'
26        a0: 'tar'
27        a1|contains: '-c'
28    condition: 1 of selection*
29falsepositives:
30    - Legitimate use of archiving tools by legitimate user.
31level: low

References

atomic-red-team/atomics/T1560.001/T1560.001.md at a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Data Compressed

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1560.001/T1560.001.md at a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1 · redcanaryco/atomic-red-team

Related rules