Creation of an Archive with Common Archivers¶
Adversaries may collect and stage data in a central location or directory in preparation of exfiltration
id: | f43f66f3-7e86-4cd1-9850-df7b4ac7822e |
---|---|
categories: | enrich |
confidence: | low |
os: | macos, linux |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Collection |
---|---|
techniques: | T1074 Data Staged |
Query¶
sequence by unique_pid with maxspan=1m
[ process where subtype.create and process_name in ("zip", "tar", "gzip", "hdiutil") ]
[ file where wildcard(file_name, "*.zip", "*.tar", "*.gzip", "*.gz") ]