This note documents detection patterns related to Suspicious Archive and Exfiltration Prep on Linux systems.

Direct Indicators

Source	Grep Pattern / Artifact	Meaning	Forensic Value	Notes
Shell history	`tar -czf`	Archive creation	Critical	Common pre-exfiltration packaging.
Shell history	`zip -r`	Recursive archive	Critical	Frequent attacker packaging method.
Shell history	`gzip`	Compression	High	Often paired with staging.
Shell history	`base64`	Encoding for transport	Critical	Common obfuscation / transport prep.
Shell history	`split -b`	Chunking large archive	Critical	Strong exfil preparation indicator.
Shell history	`scp archive`	Archive transfer	Critical	Direct exfil path.
Shell history	`curl -F`	Upload via HTTP	Critical	Strong exfiltration pattern.
Shell history	`wget --post-file`	Upload by POST	Critical	Less common but strong signal.
Shell history	`openssl enc`	Archive encryption	Critical	Concealed exfil prep.
Temp directories	new archive in `/tmp`	Staged package	Critical	Common attacker staging zone.
Hidden archive	`.tar.gz`, `.zip` in hidden dir	Concealed staging	High	Stealth preparation.
File timestamps	recent archive creation	Timeline anchor	Critical	Correlates with compromise phase.
`auditd`	archive tool execution	Process attribution	Critical	Best attribution if enabled.
Network logs	archive transferred outward	Critical	Confirms exfil path.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Archive after sensitive file access	Credential/data packaging	Critical	Strong theft sequence.
Archive in temp plus outbound socket	Exfil staging	Critical	Strong compromise signal.
Hidden encrypted archive	Delayed exfil	Critical	Operator stealth.
Split archive chunks	Large data handling	Critical	Mature operator behavior.
Archive named like backup	Camouflage	High	Common stealth pattern.
Archive created by service account	Suspicious context	Critical	Often exploitation context.
Archive removed quickly	Cleanup after transfer	High	Common exfil discipline.
Base64 after archive	Alternate transfer method	Critical	Strong encoded exfil pattern.
Archive plus scp to internal host	Lateral staging	High	May precede exfil elsewhere.
Root-owned archive in temp	High severity	Critical	Privileged data theft likely.

Common Tools

Tool	Usage
`tar`	Primary archive creation.
`zip`	Recursive packaging.
`gzip`	Compression.
`base64`	Encoding archive content.
`split`	Chunking archives.
`scp`	Archive transfer.
`curl -F`	HTTP upload.
`openssl enc`	Encryption before transfer.

Relevant Artifacts

Artifact	Path / Command	Forensic Value	Notes
Temp archives	`/tmp`, `/var/tmp`, `/dev/shm`	Critical	Primary staging zone.
Hidden archives	hidden dirs/files	High	Concealed packaging.
Sensitive source files	compare archive inputs	Critical	Data theft scope.
Shell history	`.bash_history`, `.zsh_history`	Critical	Packaging commands.
Audit logs	`/var/log/audit/audit.log`	Critical	Process attribution.
Network logs	scp/http transfer	Critical	Exfil confirmation.
File metadata	`stat`	Critical	Timeline truth.

MITRE ATT&CK References

T1560 Archive Collected Data
T1560.001 Archive via Utility
T1041 Exfiltration Over C2 Channel

Decision Tree

Was archive created?
- Identify tar, zip, gzip, split usage.
What was archived?
- Sensitive files, configs, keys, logs.
Where is archive located?
- Temp, hidden, home, root.
Was archive transferred?
- scp, curl, sockets, logs.
Was archive removed?
- Missing file but command history remains.
Pivot
- Archive → timestamps.
- Source files → theft scope.
- Destination → exfil endpoint.
Confirm exfil prep
- Archive + sensitive inputs + transfer signal = strong data staging finding.

Example Detection Templates

Grep

grep -R "tar -czf\|zip -r\|gzip\|base64\|split -b\|scp .*tar\|curl -F\|wget --post-file\|openssl enc" /home/*/.bash_history /root/.bash_history 2>/dev/null

find /tmp /var/tmp /dev/shm /home /root -name "*.tar*" -o -name "*.zip" 2>/dev/null

Journalctl

journalctl | grep -E "tar|zip|gzip|scp|curl"

File Inspection

find /tmp /var/tmp /dev/shm -type f -printf '%TY-%Tm-%Td %TT %p\n' 2>/dev/null | sort

file /tmp/* /var/tmp/* /dev/shm/* 2>/dev/null

Sigma

title: Linux Suspicious Archive and Exfiltration Prep
id: linux-archive-exfil-prep
status: experimental
description: Detects suspicious archive creation and packaging behavior preceding exfiltration
logsource:
  product: linux
detection:
  selection_keywords:
    message|contains:
      - 'tar -czf'
      - 'zip -r'
      - 'base64'
      - 'curl -F'
  condition: selection_keywords
fields:
  - message
  - hostname
falsepositives:
  - Legitimate backup operations
level: high
tags:
  - attack.collection
  - attack.t1560

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Egress filtering	Restrict arbitrary outbound transfer	Critical	Reduces archive exfil paths.
File monitoring	Watch temp archive creation	Critical	Strong invariant detection.
Auditd	Track archive utilities	High	Strong attribution.
Sensitive file controls	Reduce readable sensitive scope	High	Shrinks theft surface.
Temp review	Inspect temp for archives	High	High-value forensic check.

Fast Triage Checks

Question	Command / Artifact	Why It Matters
Was archive created?	grep history	Immediate packaging check.
Which archive is newest?	sort timestamps	Timeline anchor.
What files entered archive?	inspect source commands	Theft scope.
Was archive transferred?	scp / curl / sockets	Exfil proof.
Is archive hidden?	inspect hidden dirs	Stealth clue.
Was archive deleted?	missing file + command trail	Cleanup clue.

High Value Grep Strings

Pattern	Why It Matters
`tar -czf`	Primary archive creation.
`zip -r`	Recursive packaging.
`gzip`	Compression.
`base64`	Encoded transport prep.
`split -b`	Chunking.
`curl -F`	HTTP upload.
`openssl enc`	Encryption before exfil.

Analyst Notes

Scenario	Interpretation
Shadow + tar + scp	Strong credential theft chain.
Hidden encrypted archive	Delayed stealth exfil likely.
Split chunks in temp	Large data staging.
Archive named backup	Camouflage likely.
Archive removed quickly	Transfer then cleanup.
Root archive in temp	High-severity data theft candidate.