Compress Data and Lock With Password for Exfiltration With WINZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Sigma rule (View on GitHub)
1title: Compress Data and Lock With Password for Exfiltration With WINZIP
2id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
3status: test
4description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
7author: frack113
8date: 2021-07-27
9modified: 2022-12-25
10tags:
11 - attack.collection
12 - attack.t1560.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_winzip:
18 CommandLine|contains:
19 - 'winzip.exe'
20 - 'winzip64.exe'
21 selection_password:
22 CommandLine|contains: '-s"'
23 selection_other:
24 CommandLine|contains:
25 - ' -min '
26 - ' -a '
27 condition: all of selection*
28falsepositives:
29 - Unknown
30level: medium
References
Related rules
- 7Zip Compressing Dump Files
- Cisco Stage Data
- Compress Data and Lock With Password for Exfiltration With 7-ZIP
- Compressed File Creation Via Tar.EXE
- Compressed File Extraction Via Tar.EXE