security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b64ab552f94de507753860b6ff0268d4a656321
blue-team-tools/rules/linux/auditd/lnx_data_compressed.yml
T

31 lines
912 B
YAML
Raw Normal View History

Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
title: Data Compressed
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
status: experimental
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
ATT&CK mapping update suggestions for \linux\
2020-08-04 19:48:18 +03:00
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'execve'
a0: 'zip'
selection2:
type: 'execve'
a0: 'gzip'
a1: '-f'
selection3:
type: 'execve'
a0: 'tar'
a1|contains: '-c'
condition: 1 of them
falsepositives:
- Legitimate use of archiving tools by legitimate user
level: low
Fixed my git issue
2020-09-13 22:03:04 -06:00
tags:
- attack.exfiltration
- attack.t1560.001
Reference in New Issue Copy Permalink