Password Protected ZIP File Opened (Suspicious Filenames)

Aug 28, 2023 · attack.command_and_control attack.defense_evasion attack.t1027 attack.t1105 attack.t1036 ·

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Sigma rule (View on GitHub)

 1title: Password Protected ZIP File Opened (Suspicious Filenames)
 2id: 54f0434b-726f-48a1-b2aa-067df14516e4
 3status: experimental
 4description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
 5references:
 6    - https://twitter.com/sbousseaden/status/1523383197513379841
 7author: Florian Roth (Nextron Systems)
 8date: 2022/05/09
 9tags:
10    - attack.command_and_control
11    - attack.defense_evasion
12    - attack.t1027
13    - attack.t1105
14    - attack.t1036
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 5379
21        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
22    selection_filename:
23        TargetName|contains:
24            - 'invoice'
25            - 'new order'
26            - 'rechnung'
27            - 'factura'
28            - 'delivery'
29            - 'purchase'
30            - 'order'
31            - 'payment'
32    condition: selection and selection_filename
33falsepositives:
34    - Legitimate used of encrypted ZIP files
35level: high

References

https://twitter.com/sbousseaden/status/1523383197513379841

Read More

Password Protected ZIP File Opened (Suspicious Filenames)

Sigma rule (View on GitHub)

References

https://twitter.com/sbousseaden/status/1523383197513379841

Related rules