Threat Huntlowtest

Compress-Archive Cmdlet Execution

Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Timur Zinniatullin, oscd.communityCreated Mon Oct 21Updated Fri Dec 156dc5d284-69ea-42cf-9311-fb1c3932a69awindows

Hunting Hypothesis

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains: 'Compress-Archive'
    condition: selection

False Positives

Likely

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0010 · Exfiltration TA0009 · Collection

Techniques

T1560 · Archive Collected Data

Other

detection.threat-hunting

Rule Metadata

Rule ID

6dc5d284-69ea-42cf-9311-fb1c3932a69a

Status

test

Level

low

Type

Threat Hunt

Created

Mon Oct 21

Modified

Fri Dec 15

Author

Timur Zinniatullin, oscd.community

Path

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml

Raw Tags

attack.exfiltrationattack.collectionattack.t1560detection.threat-hunting

View on GitHub