Creation of an Archive with Common Archivers¶
Adversaries may collect and stage data in a central location or directory in preparation of exfiltration
| id: | f43f66f3-7e86-4cd1-9850-df7b4ac7822e |
|---|---|
| categories: | enrich |
| confidence: | low |
| os: | macos, linux |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Collection |
|---|---|
| techniques: | T1074 Data Staged |
Query¶
sequence by unique_pid with maxspan=1m
[ process where subtype.create and process_name in ("zip", "tar", "gzip", "hdiutil") ]
[ file where wildcard(file_name, "*.zip", "*.tar", "*.gzip", "*.gz") ]