Password Protected ZIP File Opened
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Sigma rule (View on GitHub)
1title: Password Protected ZIP File Opened
2id: 00ba9da1-b510-4f6b-b258-8d338836180f
3status: test
4description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
5references:
6 - https://twitter.com/sbousseaden/status/1523383197513379841
7author: Florian Roth (Nextron Systems)
8date: 2022-05-09
9tags:
10 - attack.defense-evasion
11 - attack.t1027
12logsource:
13 product: windows
14 service: security
15detection:
16 selection:
17 EventID: 5379
18 TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
19 filter: # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4
20 TargetName|contains: '\Temporary Internet Files\Content.Outlook'
21 condition: selection and not filter
22falsepositives:
23 - Legitimate used of encrypted ZIP files
24level: medium
References
Related rules
- Base64 Encoded PowerShell Command Detected
- Certificate Exported Via Certutil.EXE
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Decode Base64 Encoded Text
- Decode Base64 Encoded Text -MacOs