Find sigma rule

Attack: Archive Collected Data

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.

MITRE

Tactic

collection

technique

T1560

Test : Compress Data for Exfiltration With PowerShell

OS

windows

Description:

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory

Executor

powershell

Sigma Rule

posh_ps_compress_archive_usage.yml (id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test