title: Data Compressed
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
author: Timur Zinniatullin, oscd.community
references:
    - https://attack.mitre.org/techniques/T1002/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image:
            - '*\rar.exe'
        CommandLine:
            - '* a -r *'
    condition: selection1
fields:
    - Image
    - CommandLine
    - User
    - LogonGuid
    - Hashes
    - ParentProcessGuid
    - ParentCommandLine
falsepositives:
    - highly likely if default archivator in the monitored environment is rar, and even if not
level: low
tags:
    - attack.exfiltration
    - attack.t1002