Password Protected ZIP File Opened (Suspicious Filenames)

calendar Oct 17, 2023 · attack.command_and_control attack.defense_evasion attack.t1027 attack.t1105 attack.t1036  ·
Share on: linkedin copy

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Sigma rule (View on GitHub)

 1title: Password Protected ZIP File Opened (Suspicious Filenames)
 2id: 54f0434b-726f-48a1-b2aa-067df14516e4
 3status: test
 4description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
 5references:
 6    - https://twitter.com/sbousseaden/status/1523383197513379841
 7author: Florian Roth (Nextron Systems)
 8date: 2022/05/09
 9tags:
10    - attack.command_and_control
11    - attack.defense_evasion
12    - attack.t1027
13    - attack.t1105
14    - attack.t1036
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 5379
21        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
22    selection_filename:
23        TargetName|contains:
24            - 'invoice'
25            - 'new order'
26            - 'rechnung'
27            - 'factura'
28            - 'delivery'
29            - 'purchase'
30            - 'order'
31            - 'payment'
32    condition: selection and selection_filename
33falsepositives:
34    - Legitimate used of encrypted ZIP files
35level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top