Suspicious ZipExec Execution

 1title: Suspicious ZipExec Execution
 2id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
 3status: test
 4description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
 5references:
 6    - https://twitter.com/SBousseaden/status/1451237393017839616
 7    - https://github.com/Tylous/ZipExec
 8author: frack113
 9date: 2021/11/07
10modified: 2022/12/25
11tags:
12    - attack.execution
13    - attack.defense_evasion
14    - attack.t1218
15    - attack.t1202
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    run:
21        CommandLine|contains|all:
22            - '/generic:Microsoft_Windows_Shell_ZipFolder:filename='
23            - '.zip'
24            - '/pass:'
25            - '/user:'
26    delete:
27        CommandLine|contains|all:
28            - '/delete'
29            - 'Microsoft_Windows_Shell_ZipFolder:filename='
30            - '.zip'
31    condition: run or delete
32falsepositives:
33    - Unknown
34level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• GitHub - Tylous/ZipExec: A unique technique to execute binaries from a password protected zip

  

  A unique technique to execute binaries from a password protected zip - Tylous/ZipExec

  
  Read More

Related rules

• MpiExec Lolbin
• Suspicious Runscripthelper.exe
• Renamed ZOHO Dctask64 Execution
• Renamed FTP.EXE Execution
• Microsoft Workflow Compiler Execution