1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", 6 "from": "now-9m", 7 "index": [ 8 "auditbeat-*", 9 "logs-endpoint.events.*" 10 ], 11 "language": "kuery", 12 "license": "Elastic License v2", 13 "name": "Sensitive Files Compression", 14 "query": "event.category:process and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", 15 "references": [ 16 "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" 17 ], 18 "risk_score": 47, 19 "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", 20 "severity": "medium", 21 "tags": [ 22 "Elastic", 23 "Host", 24 "Linux", 25 "Threat Detection", 26 "Collection", 27 "Credential Access" 28 ], 29 "threat": [ 30 { 31 "framework": "MITRE ATT&CK", 32 "tactic": { 33 "id": "TA0006", 34 "name": "Credential Access", 35 "reference": "https://attack.mitre.org/tactics/TA0006/" 36 }, 37 "technique": [ 38 { 39 "id": "T1552", 40 "name": "Unsecured Credentials", 41 "reference": "https://attack.mitre.org/techniques/T1552/", 42 "subtechnique": [ 43 { 44 "id": "T1552.001", 45 "name": "Credentials In Files", 46 "reference": "https://attack.mitre.org/techniques/T1552/001/" 47 } 48 ] 49 } 50 ] 51 }, 52 { 53 "framework": "MITRE ATT&CK", 54 "tactic": { 55 "id": "TA0009", 56 "name": "Collection", 57 "reference": "https://attack.mitre.org/tactics/TA0009/" 58 }, 59 "technique": [ 60 { 61 "id": "T1560", 62 "name": "Archive Collected Data", 63 "reference": "https://attack.mitre.org/techniques/T1560/", 64 "subtechnique": [ 65 { 66 "id": "T1560.001", 67 "name": "Archive via Utility", 68 "reference": "https://attack.mitre.org/techniques/T1560/001/" 69 } 70 ] 71 } 72 ] 73 } 74 ], 75 "timestamp_override": "event.ingested", 76 "type": "query", 77 "version": 1 78} 79