sigmalowHunting

Data Compressed

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

MITRE ATT&CK

T1560.001

exfiltrationcollection

Detection Query

selection1:
  type: execve
  a0: zip
selection2:
  type: execve
  a0: gzip
  a1: -k
selection3:
  type: execve
  a0: tar
  a1|contains: -c
condition: 1 of selection*

Author

Timur Zinniatullin, oscd.community

Created

2019-10-21

Data Sources

linuxauditd

Platforms

linux

References

https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md

Tags

attack.exfiltrationattack.collectionattack.t1560.001

Raw Content

title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: test
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-07-28
tags:
    - attack.exfiltration
    - attack.collection
    - attack.t1560.001
logsource:
    product: linux
    service: auditd
detection:
    selection1:
        type: 'execve'
        a0: 'zip'
    selection2:
        type: 'execve'
        a0: 'gzip'
        a1: '-k'
    selection3:
        type: 'execve'
        a0: 'tar'
        a1|contains: '-c'
    condition: 1 of selection*
falsepositives:
    - Legitimate use of archiving tools by legitimate user.
level: low