Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Sigma rule (View on GitHub)
1title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
2id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
3related:
4 - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
5 type: similar
6 - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
7 type: similar
8 - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
9 type: similar
10status: test
11description: |
12 Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
13 An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
14references:
15 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
16 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
17author: Nasreddine Bencherchali (Nextron Systems), frack113
18date: 2021-07-20
19modified: 2022-10-09
20tags:
21 - attack.collection
22 - attack.t1074.001
23logsource:
24 product: windows
25 category: process_creation
26detection:
27 selection:
28 CommandLine|contains:
29 - 'Compress-Archive -Path*-DestinationPath $env:TEMP'
30 - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
31 - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
32 condition: selection
33falsepositives:
34 - Unknown
35level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
SUMMARY The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service ...
Read More
Related rules
- Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
- Zip A Folder With PowerShell For Staging In Temp - PowerShell
- Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
- 7Zip Compressing Dump Files
- ADFS Database Named Pipe Connection By Uncommon Tool