Detectionmediumtest

Password Protected ZIP File Opened

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Mon May 0900ba9da1-b510-4f6b-b258-8d338836180fwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 5379
        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
    filter:  # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4
        TargetName|contains: '\Temporary Internet Files\Content.Outlook'
    condition: selection and not filter
False Positives

Legitimate used of encrypted ZIP files

Rule Metadata
Rule ID
00ba9da1-b510-4f6b-b258-8d338836180f
Status
test
Level
medium
Type
Detection
Created
Mon May 09
Path
rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml
Raw Tags
attack.defense-evasionattack.t1027
View on GitHub