valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f880fa82b5
SigmaHQ/rules/windows/process_creation/win_data_compressed.yml

32 lines
966 B
YAML
Raw Normal View History

OSCD Task 7 : ART T1002 Exfiltration With Rar OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar
2019-10-22 11:00:52 +00:00
title: Data Compressed
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
author: Timur Zinniatullin, oscd.community
references:
- https://attack.mitre.org/techniques/T1002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
logsource:
category: process_creation
product: windows
detection:
Update win_data_compressed.yml
2019-10-22 11:53:43 +00:00
selection1:
OSCD Task 7 : ART T1002 Exfiltration With Rar OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar
2019-10-22 11:00:52 +00:00
Image:
- '*\rar.exe'
CommandLine:
- '* a -r *'
Update win_data_compressed.yml
2019-10-24 12:34:13 +00:00
condition: selection1
OSCD Task 7 : ART T1002 Exfiltration With Rar OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar
2019-10-22 11:00:52 +00:00
fields:
- Image
- CommandLine
- User
- LogonGuid
- Hashes
- ParentProcessGuid
- ParentCommandLine
falsepositives:
- highly likely if default archivator in the monitored environment is rar, and even if not
level: low
tags:
- attack.exfiltration
- attack.t1002
Reference in New Issue Copy Permalink