ZIP File Spawning JavaScript
RedCanary detected high volumes of obfuscation this year looking for apparent phishing schemes where adversaries conceal JavaScript payloads in ZIP files and write them to the users and temp directories. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: ZIP File Spawning JavaScript
2id: b99b32f3-aa61-495d-a6a1-2595e1551ba8
3status: experimental
4description: |
5 RedCanary detected high volumes of obfuscation this year looking for apparent phishing
6 schemes where adversaries conceal JavaScript payloads in ZIP files and write them
7 to the users and temp directories. Part of the RedCanary 2024 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/obfuscated-files-information/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.defense_evasion
14 - attack.t1027
15logsource:
16 category: network_connection
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\wscript.exe'
21 CommandLine|contains|all:
22 - 'users'
23 - 'temp'
24 - '.zip'
25 - '.js'
26 condition: selection
27falsepositives:
28 - Unknown
29level: low```
References
-
Obfuscated files or information empower adversaries to perform malicious actions that would be trivial to prevent, detect, or mitigate.
Read More
Related rules
- Base64 Encoding
- Gamarue Rundll32.exe Long Commandlines
- Obfuscated Commands - Command Shell
- Obfuscation and Escape Characters - Powershell
- PowerShell -encodedcommand Switch