Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Sigma rule (View on GitHub)
1title: Password Protected ZIP File Opened (Email Attachment)
2id: 571498c8-908e-40b4-910b-d2369159a3da
3status: experimental
4description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
5references:
6 - https://twitter.com/sbousseaden/status/1523383197513379841
7author: Florian Roth (Nextron Systems)
8date: 2022/05/09
9tags:
10 - attack.defense_evasion
11 - attack.initial_access
12 - attack.t1027
13 - attack.t1566.001
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 5379
20 TargetName|contains|all:
21 - 'Microsoft_Windows_Shell_ZipFolder:filename'
22 - '\Temporary Internet Files\Content.Outlook'
23 condition: selection
24falsepositives:
25 - Legitimate used of encrypted ZIP files
26level: high
References
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Malicious QakBot Dropped File Creation (Sysmon)
- Potential Initial Access via DLL Search Order Hijacking
- ISO or Image Mount Indicator in Recent Files