Zip A Folder With PowerShell For Staging In Temp - PowerShell
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
Sigma rule (View on GitHub)
1title: Zip A Folder With PowerShell For Staging In Temp - PowerShell
2id: 71ff406e-b633-4989-96ec-bc49d825a412
3related:
4 - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
5 type: derived
6status: test
7description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
10author: frack113
11date: 2021/07/20
12modified: 2023/10/27
13tags:
14 - attack.collection
15 - attack.t1074.001
16logsource:
17 product: windows
18 service: powershell-classic
19detection:
20 selection:
21 Data|contains|all:
22 - 'Compress-Archive'
23 - ' -Path '
24 - ' -DestinationPath '
25 - '$env:TEMP\'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
- Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
- Zip A Folder With PowerShell For Staging In Temp
- 7Zip Compressing Dump Files
- Compress Data and Lock With Password for Exfiltration With 7-ZIP