Detects adversarial archiving of files prior to exfiltration by correlating execution of compression/encryption utilities (e.g., makecab.exe, rar.exe, 7z.exe, powershell Compress-Archive) with subsequent creation of large compressed or encrypted files. Identifies abnormal process lineage involving crypt32.dll usage, command-line arguments invoking compression switches, and file write operations to temporary or staging directories.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| ArchiveExtensions | List of file extensions treated as suspicious when created outside of expected paths. |
| ProcessAllowlist | Known business processes permitted to use compression/encryption utilities. |
| FileSizeThresholdMB | Minimum file size for flagging archive creation to reduce noise from benign small compressions. |
Detects adversarial archiving activity through invocation of utilities like tar, gzip, bzip2, or openssl used in non-administrative or unusual contexts. Correlates command execution patterns with file creation of compressed/encrypted outputs in staging directories (e.g., /tmp, /var/tmp).
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | execve: Execution of tar, gzip, bzip2, or openssl with output redirection |
| File Creation (DC0039) | auditd:FILE | create: Creation of files ending in .tar, .gz, .bz2, .zip in /tmp or /var/tmp |
| Field | Description |
|---|---|
| ArchiveCommands | List of archiving/encryption utilities considered sensitive in the monitored environment. |
| SuspiciousDirectories | Paths where archive creation is suspicious (e.g., /tmp, user home directories). |
| TimeWindow | Temporal window to correlate command execution with file creation events. |
Detects use of macOS-native archiving or encryption tools (zip, ditto, hdiutil) for staging collected data. Identifies unexpected invocation of archive utilities by Office apps, browsers, or background daemons. Correlates file creation of .zip/.dmg containers with process lineage anomalies.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of zip, ditto, hdiutil, or openssl by non-terminal parent processes |
| File Creation (DC0039) | macos:unifiedlog | Creation of .zip or .dmg files in user-accessible or temporary directories |
| Field | Description |
|---|---|
| AllowedArchiveUtilities | Business-approved applications (e.g., Time Machine, backup agents) that generate archives. |
| UserContext | Threshold for flagging archive creation under privileged or service accounts. |
| PayloadEntropyThreshold | Entropy threshold for detecting encrypted archives versus standard compressed files. |