mediumexperimentalLinuxAI/MLT1005T1560.001

LLM Service Compressing Potentially Sensitive Data

Detects LLM service processes spawning archive utilities (tar, zip, gzip) targeting application or home directories. This behaviour suggests data staging prior to exfiltration of sensitive model data or credentials.

Updated Jan 15, 2025 · Detection Engineering Team

llmcollectionlinuxarchiveowasp-llm02

Problem Statement

Compressing directories containing credentials, model weights, or application data is a classic pre-exfiltration staging step. When this occurs from an LLM service process it indicates the model has been directed to collect and stage sensitive data.

Sample Logs

{"timestamp":"2025-01-15T18:02:15Z","computer_name":"llm-host-02","user":"llm_svc","image":"/bin/tar","command_line":"tar czf /tmp/out.tgz /home/opc/.oci /models/","parent_image":"/opt/llm/app/tool_runner.py"}

Required Fields

image

command_line

parent_image

user

computer_name

False Positives

·Scheduled backup jobs running under the LLM service account
·Model snapshot utilities that compress model weights for storage

Tuning Guidance

Correlate with subsequent outbound network connections from the same host to identify staged exfiltration. Exclude known backup service accounts.