Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Sigma rule (View on GitHub)
1title: Password Protected ZIP File Opened (Suspicious Filenames)
2id: 54f0434b-726f-48a1-b2aa-067df14516e4
3status: test
4description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
5references:
6 - https://twitter.com/sbousseaden/status/1523383197513379841
7author: Florian Roth (Nextron Systems)
8date: 2022-05-09
9tags:
10 - attack.command-and-control
11 - attack.defense-evasion
12 - attack.t1027
13 - attack.t1105
14 - attack.t1036
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID: 5379
21 TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
22 selection_filename:
23 TargetName|contains:
24 - 'invoice'
25 - 'new order'
26 - 'rechnung'
27 - 'factura'
28 - 'delivery'
29 - 'purchase'
30 - 'order'
31 - 'payment'
32 condition: selection and selection_filename
33falsepositives:
34 - Legitimate used of encrypted ZIP files
35level: high
References
Related rules
- Curl Download And Execute Combination
- Download from Suspicious Dyndns Hosts
- File Download Via Nscurl - MacOS
- File Download Via Windows Defender MpCmpRun.EXE
- Greenbug Espionage Group Indicators