Linux Archive Command Followed By Upload Egress
Query
// Update DeviceName and time window as required
let Device = "DeviceNameHere";
let ArchiveProc =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceName =~ Device
| where FileName in ("tar","zip","gzip")
| where ProcessCommandLine has_any (".zip", ".tgz", ".tar", "tar -c", "tar -cz", "zip ")
| project
DeviceId,
DeviceName,
ArchiveTime = Timestamp,
ArchiveProc = FileName,
ArchiveCmd = ProcessCommandLine,
AccountName;
let UploadEgress =
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where DeviceName =~ Device
| where RemoteIP !startswith "127."
| where RemoteIPType == "Public" or isempty(RemoteIPType)
| where InitiatingProcessFileName in ("curl","wget","python","python3","openssl","scp","sftp")
| project
DeviceId,
NetTime = Timestamp,
NetProc = InitiatingProcessFileName,
NetCmd = InitiatingProcessCommandLine,
RemoteIP,
RemotePort;
ArchiveProc
| join kind=inner (UploadEgress) on DeviceId
| where NetTime between (ArchiveTime .. ArchiveTime + 30m)
| project
ArchiveTime,
NetTime,
DeviceName,
AccountName,
ArchiveProc,
ArchiveCmd,
NetProc,
NetCmd,
RemoteIP,
RemotePort
| order by ArchiveTime descAbout this query
Explanation
This query is designed to detect suspicious activity on Linux systems by identifying instances where files are archived and then uploaded to an external location within a short time frame. Here's a simplified breakdown:
-
Purpose: The query aims to find cases where a file is archived (compressed) and then quickly uploaded to an external server, which might indicate data exfiltration or unauthorized data transfer.
-
How it Works:
- It looks at process events to find when archive commands (
tar,zip,gzip) are executed on a specified device within the last 24 hours. - It also examines network events to identify outbound connections made by processes like
curl,wget,scp, etc., which are common for uploading files. - The query then correlates these two activities (archiving and uploading) if they occur on the same device and within 30 minutes of each other.
- It looks at process events to find when archive commands (
-
What it Surfaces:
- Instances where files are archived and then uploaded, potentially indicating data exfiltration.
- Use of common Linux tools for uploading files, which might be used by attackers or during security tests.
- Manual or automated workflows that involve creating an archive and then transferring it out of the system.
-
Why It's Effective:
- It doesn't rely on file system events, which might not be available or reliable on all systems.
- It doesn't assume that the same process performs both archiving and uploading, which is a common tactic to evade detection.
- By focusing on process execution and network activity, it captures a broader range of suspicious behaviors that simpler methods might miss.
Details

Nathan Hutchinson
Released: February 2, 2026
Tables
DeviceProcessEventsDeviceNetworkEvents
Keywords
LinuxDevicesNetworkProcessArchiveUploadEgress
Operators
letwhereinhas_anyprojectjoinkind=innerbetweenorder bydescago=~!startswithisempty