1{
2  "author": [
3    "Elastic"
4  ],
5  "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.",
6  "from": "now-9m",
7  "index": [
8    "auditbeat-*",
9    "logs-endpoint.events.*"
10  ],
11  "language": "kuery",
12  "license": "Elastic License v2",
13  "name": "Sensitive Files Compression",
14  "query": "event.category:process and event.type:start and\n  process.name:(zip or tar or gzip or hdiutil or 7z) and\n  process.args:\n    (\n      /root/.ssh/id_rsa or\n      /root/.ssh/id_rsa.pub or\n      /root/.ssh/id_ed25519 or\n      /root/.ssh/id_ed25519.pub or\n      /root/.ssh/authorized_keys or\n      /root/.ssh/authorized_keys2 or\n      /root/.ssh/known_hosts or\n      /root/.bash_history or\n      /etc/hosts or\n      /home/*/.ssh/id_rsa or\n      /home/*/.ssh/id_rsa.pub or\n      /home/*/.ssh/id_ed25519 or\n      /home/*/.ssh/id_ed25519.pub or\n      /home/*/.ssh/authorized_keys or\n      /home/*/.ssh/authorized_keys2 or\n      /home/*/.ssh/known_hosts or\n      /home/*/.bash_history or\n      /root/.aws/credentials or\n      /root/.aws/config or\n      /home/*/.aws/credentials or\n      /home/*/.aws/config or\n      /root/.docker/config.json or\n      /home/*/.docker/config.json or\n      /etc/group or\n      /etc/passwd or\n      /etc/shadow or\n      /etc/gshadow\n    )\n",
15  "references": [
16    "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"
17  ],
18  "risk_score": 47,
19  "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab",
20  "severity": "medium",
21  "tags": [
22    "Elastic",
23    "Host",
24    "Linux",
25    "Threat Detection",
26    "Collection",
27    "Credential Access"
28  ],
29  "threat": [
30    {
31      "framework": "MITRE ATT&CK",
32      "tactic": {
33        "id": "TA0006",
34        "name": "Credential Access",
35        "reference": "https://attack.mitre.org/tactics/TA0006/"
36      },
37      "technique": [
38        {
39          "id": "T1552",
40          "name": "Unsecured Credentials",
41          "reference": "https://attack.mitre.org/techniques/T1552/",
42          "subtechnique": [
43            {
44              "id": "T1552.001",
45              "name": "Credentials In Files",
46              "reference": "https://attack.mitre.org/techniques/T1552/001/"
47            }
48          ]
49        }
50      ]
51    },
52    {
53      "framework": "MITRE ATT&CK",
54      "tactic": {
55        "id": "TA0009",
56        "name": "Collection",
57        "reference": "https://attack.mitre.org/tactics/TA0009/"
58      },
59      "technique": [
60        {
61          "id": "T1560",
62          "name": "Archive Collected Data",
63          "reference": "https://attack.mitre.org/techniques/T1560/",
64          "subtechnique": [
65            {
66              "id": "T1560.001",
67              "name": "Archive via Utility",
68              "reference": "https://attack.mitre.org/techniques/T1560/001/"
69            }
70          ]
71        }
72      ]
73    }
74  ],
75  "timestamp_override": "event.ingested",
76  "type": "query",
77  "version": 1
78}
79