Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Password Protected ZIP File Opened (Suspicious Filenames)

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Mon May 0954f0434b-726f-48a1-b2aa-067df14516e4windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 5379
        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
    selection_filename:
        TargetName|contains:
            - 'invoice'
            - 'new order'
            - 'rechnung'
            - 'factura'
            - 'delivery'
            - 'purchase'
            - 'order'
            - 'payment'
    condition: selection and selection_filename
False Positives

Legitimate used of encrypted ZIP files

References
1
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
54f0434b-726f-48a1-b2aa-067df14516e4
Status
test
Level
high
Type
Detection
Created
Mon May 09
Author
Florian Roth (Nextron Systems)
Path
rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml
Raw Tags
attack.command-and-controlattack.defense-evasionattack.t1027attack.t1105attack.t1036
View on GitHub