Potential Exfiltration of Compressed Files

Apr 21, 2023 · attack.exfiltration attack.t1560.001 attack.t1005 ·

This rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body

Sigma rule (View on GitHub)

 1title: Potential Exfiltration of Compressed Files
 2id: 0d47e3f6-357f-4534-928c-202631d065fa
 3status: unsupported
 4description: |
 5        This rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body
 6references:
 7    - https://github.com/OTRF/detection-hackathon-apt29/issues/17
 8author: Greg Howell, OTR (Open Threat Research)
 9date: 2020/04/05
10modified: 2023/03/24
11tags:
12    - attack.exfiltration
13    - attack.t1560.001
14    - attack.t1005
15logsource:
16    product: zeek
17    service: http
18detection:
19    selection1:
20        uri|endswith:
21         - '.7z'
22         - '.zip'
23         - '.rar'
24        mime_types|endswith: 'compressed'
25    selection3:
26        filetype|endswith: 'compressed'
27    selection4:
28        http.bodyMagic|endswith: 'compressed'
29        http.method: PUT
30    condition: selection1 or selection3 or selection4
31falsepositives:
32    - Legitimate upload/download of archives
33level: medium

References

7.B) Data from Local System, Data Compressed, Data Encrypted, Exfiltration Over Alternative Protocol · Issue #17 · OTRF/detection-hackathon-apt29

The attacker then collects files (T1005), which are compressed (T1002) and encrypted (T1022), before being exfiltrated to an attacker-controlled WebDAV share (T1048).

Read More

Potential Exfiltration of Compressed Files

Sigma rule (View on GitHub)

References

7.B) Data from Local System, Data Compressed, Data Encrypted, Exfiltration Over Alternative Protocol · Issue #17 · OTRF/detection-hackathon-apt29

Related rules