Data Compressed

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Sigma rule (View on GitHub)

 1title: Data Compressed
 2id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
 3status: test
 4description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md
 7author: Timur Zinniatullin, oscd.community
 8date: 2019/10/21
 9modified: 2023/07/28
10tags:
11    - attack.exfiltration
12    - attack.t1560.001
13logsource:
14    product: linux
15    service: auditd
16detection:
17    selection1:
18        type: 'execve'
19        a0: 'zip'
20    selection2:
21        type: 'execve'
22        a0: 'gzip'
23        a1: '-k'
24    selection3:
25        type: 'execve'
26        a0: 'tar'
27        a1|contains: '-c'
28    condition: 1 of selection*
29falsepositives:
30    - Legitimate use of archiving tools by legitimate user.
31level: low

References

Related rules

to-top