Data Compressed

calendar May 20, 2025 · attack.exfiltration attack.collection attack.t1560.001  ·
Share on: linkedin copy

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Sigma rule (View on GitHub)

 1title: Data Compressed
 2id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
 3status: test
 4description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md
 7author: Timur Zinniatullin, oscd.community
 8date: 2019-10-21
 9modified: 2023-07-28
10tags:
11    - attack.exfiltration
12    - attack.collection
13    - attack.t1560.001
14logsource:
15    product: linux
16    service: auditd
17detection:
18    selection1:
19        type: 'execve'
20        a0: 'zip'
21    selection2:
22        type: 'execve'
23        a0: 'gzip'
24        a1: '-k'
25    selection3:
26        type: 'execve'
27        a0: 'tar'
28        a1|contains: '-c'
29    condition: 1 of selection*
30falsepositives:
31    - Legitimate use of archiving tools by legitimate user.
32level: low

References

Related rules

to-top