This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.

« Security Software Discovery via Grep Sensitive Privilege SeEnableDelegationPrivilege assigned to a User »

› › ›

Sensitive Files Compression

edit

Sensitive Files Compression

edit

Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.

Rule type: query

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html

Tags:

Elastic
Host
Linux
Threat Detection
Collection
Credential Access

Version: 100 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit

event.category:process and event.type:start and process.name:(zip or
tar or gzip or hdiutil or 7z) and process.args: (
/root/.ssh/id_rsa or /root/.ssh/id_rsa.pub or
/root/.ssh/id_ed25519 or /root/.ssh/id_ed25519.pub or
/root/.ssh/authorized_keys or /root/.ssh/authorized_keys2 or
/root/.ssh/known_hosts or /root/.bash_history or
/etc/hosts or /home/*/.ssh/id_rsa or
/home/*/.ssh/id_rsa.pub or /home/*/.ssh/id_ed25519 or
/home/*/.ssh/id_ed25519.pub or /home/*/.ssh/authorized_keys or
/home/*/.ssh/authorized_keys2 or /home/*/.ssh/known_hosts or
/home/*/.bash_history or /root/.aws/credentials or
/root/.aws/config or /home/*/.aws/credentials or
/home/*/.aws/config or /root/.docker/config.json or
/home/*/.docker/config.json or /etc/group or /etc/passwd
or /etc/shadow or /etc/gshadow )

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
Technique:
- Name: Archive Collected Data
- ID: T1560
- Reference URL: https://attack.mitre.org/techniques/T1560/

Rule version history

edit

Version 100 (8.5.0 release)

Formatting only

Version 2 (8.4.0 release)

Formatting only

« Security Software Discovery via Grep Sensitive Privilege SeEnableDelegationPrivilege assigned to a User »