Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Data Compressed

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Timur Zinniatullin, oscd.communityCreated Mon Oct 21Updated Fri Jul 28a3b5e3e9-1b49-4119-8b8e-0344a01f21eelinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic3 selectors
detection:
    selection1:
        type: 'execve'
        a0: 'zip'
    selection2:
        type: 'execve'
        a0: 'gzip'
        a1: '-k'
    selection3:
        type: 'execve'
        a0: 'tar'
        a1|contains: '-c'
    condition: 1 of selection*
False Positives

Legitimate use of archiving tools by legitimate user.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
Status
test
Level
low
Type
Detection
Created
Mon Oct 21
Modified
Fri Jul 28
Author
Timur Zinniatullin, oscd.community
Path
rules/linux/auditd/execve/lnx_auditd_data_compressed.yml
Raw Tags
attack.exfiltrationattack.collectionattack.t1560.001
View on GitHub