PowerShell Decompress Commands
A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
Sigma rule (View on GitHub)
1title: PowerShell Decompress Commands
2id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
3related:
4 - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
5 type: derived
6status: test
7description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
8references:
9 - https://github.com/OTRF/detection-hackathon-apt29/issues/8
10 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md
11author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
12date: 2020-05-02
13modified: 2022-12-25
14tags:
15 - attack.defense-evasion
16 - attack.t1140
17logsource:
18 product: windows
19 category: ps_module
20 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
21detection:
22 selection_4103:
23 Payload|contains: 'Expand-Archive'
24 condition: selection_4103
25falsepositives:
26 - Unknown
27level: informational
References
-
4.A) PowerShell, Deobfuscate/Decode Files or Information · Issue #8 · OTRF/detection-hackathon-apt29
Description The attacker uploads additional tools (T1086) through the new, elevated access before spawning an interactive powershell.exe shell (T1086). The additional tools are decompressed (T1140)...
Read More -
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. - OTRF/ThreatHunter-Playbook
Read More
Related rules
- Base64 Encoded PowerShell Command Detected
- DNS-over-HTTPS Enabled by Registry
- Linux Base64 Encoded Pipe to Shell
- Linux Base64 Encoded Shebang In CLI
- Linux Shell Pipe to Shell