Sensitive Files Compression

edit

Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Collection
  • Credential Access

Version: 100 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
event.category:process and event.type:start and process.name:(zip or
tar or gzip or hdiutil or 7z) and process.args: (
/root/.ssh/id_rsa or /root/.ssh/id_rsa.pub or
/root/.ssh/id_ed25519 or /root/.ssh/id_ed25519.pub or
/root/.ssh/authorized_keys or /root/.ssh/authorized_keys2 or
/root/.ssh/known_hosts or /root/.bash_history or
/etc/hosts or /home/*/.ssh/id_rsa or
/home/*/.ssh/id_rsa.pub or /home/*/.ssh/id_ed25519 or
/home/*/.ssh/id_ed25519.pub or /home/*/.ssh/authorized_keys or
/home/*/.ssh/authorized_keys2 or /home/*/.ssh/known_hosts or
/home/*/.bash_history or /root/.aws/credentials or
/root/.aws/config or /home/*/.aws/credentials or
/home/*/.aws/config or /root/.docker/config.json or
/home/*/.docker/config.json or /etc/group or /etc/passwd
or /etc/shadow or /etc/gshadow )

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 100 (8.5.0 release)
  • Formatting only
Version 2 (8.4.0 release)
  • Formatting only