Techniques
Sample rules
Data Compressed
- source: sigma
- technicques:
- t1560
- t1560.001
Description
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Detection logic
condition: 1 of selection*
selection1:
a0: zip
type: execve
selection2:
a0: gzip
a1: -k
type: execve
selection3:
a0: tar
a1|contains: -c
type: execve