Compress Data and Lock With Password for Exfiltration With WINZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Sigma rule (View on GitHub)
1title: Compress Data and Lock With Password for Exfiltration With WINZIP
2id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
3status: test
4description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
7author: frack113
8date: 2021/07/27
9modified: 2022/12/25
10tags:
11 - attack.collection
12 - attack.t1560.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_winzip:
18 CommandLine|contains:
19 - 'winzip.exe'
20 - 'winzip64.exe'
21 selection_password:
22 CommandLine|contains: '-s"'
23 selection_other:
24 CommandLine|contains:
25 - ' -min '
26 - ' -a '
27 condition: all of selection*
28falsepositives:
29 - Unknown
30level: medium
References
Related rules
- Rar Usage with Password and Compression Level
- Files Added To An Archive Using Rar.EXE
- Cisco Stage Data
- Data Copied To Clipboard Via Clip.EXE
- Automated Collection Command Prompt