Compress Data and Lock With Password for Exfiltration With WINZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Sigma rule (View on GitHub)

 1title: Compress Data and Lock With Password for Exfiltration With WINZIP
 2id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
 3status: test
 4description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
 7author: frack113
 8date: 2021-07-27
 9modified: 2022-12-25
10tags:
11    - attack.collection
12    - attack.t1560.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_winzip:
18        CommandLine|contains:
19            - 'winzip.exe'
20            - 'winzip64.exe'
21    selection_password:
22        CommandLine|contains: '-s"'
23    selection_other:
24        CommandLine|contains:
25            - ' -min '
26            - ' -a '
27    condition: all of selection*
28falsepositives:
29    - Unknown
30level: medium

References

Related rules

to-top