Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1572: Analytic 1572

Processes such as curl, wget, rclone, or custom scripts executing uploads to cloud storage endpoints. Defender perspective: detect chained events where tar/gzip is executed to compress files followed by HTTPS PUT/POST requests to known storage services.

EnterpriseAN1572AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on a common decision point in data-risk investigations: Linux systems compressing files and then uploading them to cloud storage over HTTPS. For leaders, the value is not just spotting curl, wget, rclone, or scripts; it is knowing whether the organization can distinguish approved operational transfers from suspicious bulk movement of archived data.

Executive priority

Prioritize this as a validation item for environments where Linux servers handle regulated, sensitive, or business-critical data. It supports questions executives and risk owners should ask: Do we monitor outbound cloud-storage uploads from Linux? Can we prove which transfers are approved? Can incident responders quickly identify what was compressed, where it went, and whether the destination was sanctioned? This can also support compliance evidence around data movement monitoring and egress governance.

Technical view

The supplied ATT&CK analytic is Linux-focused and describes chained behavior: tar or gzip execution to compress files followed by HTTPS PUT/POST requests to known cloud storage services by processes such as curl, wget, rclone, or custom scripts. SOC and detection teams should validate correlation between process execution, archive creation, command-line context, and outbound web activity. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavior-level detection analytic rather than a complete attack scenario.

Likely telemetry

  • Linux process execution telemetry including process name, parent process, user, command line, working directory, and timestamps
  • File activity showing archive creation or modification associated with tar or gzip
  • Network telemetry showing outbound HTTPS connections, HTTP methods where available, destination domains/IPs, and timing
  • Proxy, secure web gateway, or firewall logs that can identify cloud storage endpoints and upload behavior
  • DNS logs for storage-service destinations

Detection direction

  • Correlate tar/gzip archive activity with near-term outbound HTTPS PUT/POST activity to known storage-service endpoints from the same Linux host and user context.
  • Tune for legitimate administrative, backup, CI/CD, data engineering, and software distribution workflows that may compress and upload files routinely.
  • Pay attention to custom scripts, unusual parent-child process chains, new destinations, atypical transfer timing, or users/hosts that do not normally perform cloud uploads.
  • Validate whether available telemetry exposes HTTP methods; if TLS inspection or proxy metadata is unavailable, detection may need to rely on process, DNS, destination reputation, and volume/timing indicators.
  • Confirm that detection logic is scoped to Linux as supplied by the ATT&CK object and does not assume coverage on other platforms.

Mitigation priorities

  • Define and document approved cloud storage destinations and expected Linux hosts/users that may upload data.
  • Use egress governance such as proxy routing, destination allowlisting, and monitoring for unsanctioned storage services where operationally appropriate.
  • Limit unnecessary availability of upload tooling and credentials on Linux systems that do not require it.
  • Ensure incident response procedures can quickly collect process history, archive paths, user context, and network destination evidence.
  • Review backup and automation workflows so legitimate compression-and-upload jobs are identifiable and do not create persistent false positives.
Analyst notes and limits

This is a detection analytic object, not a full ATT&CK technique description. The strongest defensive use is coverage validation: can the SOC connect file compression on Linux to cloud-storage upload behavior in time to support triage and response? Local baselining is essential because many legitimate workflows use tar, gzip, curl, wget, rclone, and scripts.

Official detection content is not provided, tactics are not specified, and no relationship context is supplied. The object supports only Linux-specific conclusions and does not identify threat actors, campaigns, impact, or active exploitation. Detection quality depends heavily on local endpoint, proxy, DNS, and network logging depth.

Official MITRE ATT&CK definition

Analytic 1572

Processes such as curl, wget, rclone, or custom scripts executing uploads to cloud storage endpoints. Defender perspective: detect chained events where tar/gzip is executed to compress files followed by HTTPS PUT/POST requests to known storage services.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
51708f68932c7270...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 51708f68932c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1572
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use