Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Sigma rule (View on GitHub)
1title: Password Protected ZIP File Opened (Email Attachment)
2id: 571498c8-908e-40b4-910b-d2369159a3da
3status: test
4description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
5references:
6 - https://twitter.com/sbousseaden/status/1523383197513379841
7author: Florian Roth (Nextron Systems)
8date: 2022-05-09
9tags:
10 - attack.defense-evasion
11 - attack.initial-access
12 - attack.t1027
13 - attack.t1566.001
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 5379
20 TargetName|contains|all:
21 - 'Microsoft_Windows_Shell_ZipFolder:filename'
22 - '\Temporary Internet Files\Content.Outlook'
23 condition: selection
24falsepositives:
25 - Legitimate used of encrypted ZIP files
26level: high
References
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Potential Initial Access via DLL Search Order Hijacking
- Suspicious HH.EXE Execution
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address