title: Detect compress process using for data exfiltration
description: Detects data compressing behaviour
author: Lep - VuNX
date: 2019/7/10
tags:
  - attack.exfiltration
  - attack.t1002
logsource:
  category: process_creation
  product: windows
detection:
    selection1:
        CommandLine:
            - '*Compress-Archive*'
            - 'rar*'
            - 'zip*'
            - 'gzip*'
    selection2:
        Image: C:\Users\Public\7za.exe
    condition: selection1 or selection2
falsepositives:
    - Real compressed
level: critical