event.category:process and host.os.type:linux and event.type:start and
process.name:(zip or tar or gzip or hdiutil or 7z) and
process.args:
(
/root/.ssh/id_rsa or
/root/.ssh/id_rsa.pub or
/root/.ssh/id_ed25519 or
/root/.ssh/id_ed25519.pub or
/root/.ssh/authorized_keys or
/root/.ssh/authorized_keys2 or
/root/.ssh/known_hosts or
/root/.bash_history or
/etc/hosts or
/home/*/.ssh/id_rsa or
/home/*/.ssh/id_rsa.pub or
/home/*/.ssh/id_ed25519 or
/home/*/.ssh/id_ed25519.pub or
/home/*/.ssh/authorized_keys or
/home/*/.ssh/authorized_keys2 or
/home/*/.ssh/known_hosts or
/home/*/.bash_history or
/root/.aws/credentials or
/root/.aws/config or
/home/*/.aws/credentials or
/home/*/.aws/config or
/root/.docker/config.json or
/home/*/.docker/config.json or
/etc/group or
/etc/passwd or
/etc/shadow or
/etc/gshadow
)
Install detection rules in Elastic Security
Detect Sensitive Files Compression in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).