kqlElastic-2.0from elastic/detection-rules
Sensitive Files Compression
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/credential_access_collection_sensitive_files.toml
event.category:process and host.os.type:linux and event.type:start and
event.action:("exec" or "exec_event" or "start" or "executed" or "process_started") and
process.name:(zip or tar or gzip or hdiutil or 7z) and
process.args:
(
/root/.ssh/id_rsa or
/root/.ssh/id_rsa.pub or
/root/.ssh/id_ed25519 or
/root/.ssh/id_ed25519.pub or
/root/.ssh/authorized_keys or
/root/.ssh/authorized_keys2 or
/root/.ssh/known_hosts or
/root/.bash_history or
/etc/hosts or
/home/*/.ssh/id_rsa or
/home/*/.ssh/id_rsa.pub or
/home/*/.ssh/id_ed25519 or
/home/*/.ssh/id_ed25519.pub or
/home/*/.ssh/authorized_keys or
/home/*/.ssh/authorized_keys2 or
/home/*/.ssh/known_hosts or
/home/*/.bash_history or
/root/.aws/credentials or
/root/.aws/config or
/home/*/.aws/credentials or
/home/*/.aws/config or
/root/.docker/config.json or
/home/*/.docker/config.json or
/etc/group or
/etc/passwd or
/etc/shadow or
/etc/gshadow
)