Detects suspicious custom compression/encryption routines through anomalous script or binary execution that produces high-entropy files without standard archiving utilities. Correlates script execution, memory API usage (bitwise ops, CryptoAPI calls), and creation of archive-like files with uncommon headers.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| EntropyThreshold | Minimum entropy level that flags suspicious custom archives. |
| AllowedProcesses | Known business processes performing encryption or compression. |
| TimeWindow | Correlation timeframe between script execution and file creation. |
Detects custom archive routines by correlating script execution (Python, Perl, Bash) with creation of high-entropy files in temporary or user directories. Flags processes performing unusual bitwise operations or writing files without standard compression headers.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | execve: Execution of interpreters creating archive-like outputs without calling tar/gzip |
| File Creation (DC0039) | auditd:FILE | create: Creation of files with anomalous headers and entropy levels in /tmp or user directories |
| Process Modification (DC0020) | linux:osquery | Detection of bitwise operations or custom encryption functions in memory traces |
| Field | Description |
|---|---|
| ArchivePaths | Directories monitored for anomalous archive creation (e.g., /tmp, /home). |
| EntropyThreshold | Entropy score to flag files lacking recognizable compression headers. |
| ScriptAllowlist | Scripts/processes known to use custom compression methods. |
Detects custom archiving by monitoring execution of Swift/Objective-C apps or scripts producing high-entropy files with non-standard headers. Correlates unified logs of abnormal NSFileHandle/NSData operations, memory use of XOR/bitwise operations, and file creation events.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Suspicious Swift/Objective-C or scripting processes writing archive-like outputs |
| File Creation (DC0039) | macos:unifiedlog | Creation of files with anomalous headers and entropy values |
| Process Modification (DC0020) | macos:unifiedlog | Abnormal memory operations (XOR/bitwise loops) during archive generation |
| Field | Description |
|---|---|
| UserContext | Flag if archiving occurs under privileged/system accounts. |
| EntropyThreshold | Entropy score cutoff for identifying custom compressed or encrypted files. |
| AllowedApps | Applications legitimately using custom archiving for business purposes. |