security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a0bad54dbda170d5369f54ccede5f11f999da4de
blue-team-tools/rules/linux/auditd/lnx_data_compressed.yml
T

33 lines
905 B
YAML
Raw Normal View History

Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
title: Data Compressed
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
status: experimental
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
of data sent over the network
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'execve'
a0: 'zip'
selection2:
type: 'execve'
a0: 'gzip'
a1: '-f'
selection3:
type: 'execve'
a0: 'tar'
a1|contains: '-c'
condition: 1 of them
falsepositives:
- Legitimate use of archiving tools by legitimate user
level: low
tags:
- attack.exfiltration
- attack.t1002
Reference in New Issue Copy Permalink