Compress Data and Lock With Password for Exfiltration With 7-ZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Sigma rule (View on GitHub)
1title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
2id: 9fbf5927-5261-4284-a71d-f681029ea574
3status: test
4description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
7author: frack113
8date: 2021-07-27
9modified: 2023-03-13
10tags:
11 - attack.collection
12 - attack.t1560.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Description|contains: '7-Zip'
19 - Image|endswith:
20 - '\7z.exe'
21 - '\7zr.exe'
22 - '\7za.exe'
23 - OriginalFileName:
24 - '7z.exe'
25 - '7za.exe'
26 selection_password:
27 CommandLine|contains: ' -p'
28 selection_action:
29 CommandLine|contains:
30 - ' a '
31 - ' u '
32 condition: all of selection_*
33falsepositives:
34 - Legitimate activity is expected since compressing files with a password is common.
35level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- 7Zip Compressing Dump Files
- Cisco Stage Data
- Compress Data and Lock With Password for Exfiltration With WINZIP
- Files Added To An Archive Using Rar.EXE
- Rar Usage with Password and Compression Level