Detectionmediumtest

Zip A Folder With PowerShell For Staging In Temp - PowerShell Script

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems), François HubautCreated Tue Jul 20Updated Mon Dec 18b7a3c9a3-09ea-4934-8864-6a32cacd98d9windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains:
            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'
            - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
            - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

Resolving title…

MITRE ATT&CK

Tactics

TA0009 · Collection

Sub-techniques

T1074.001 · Local Data Staging

Related Rules

SimilarDetectionmedium

Zip A Folder With PowerShell For Staging In Temp - PowerShell

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Zip A Folder With PowerShell For Staging In Temp - PowerShell Module

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

b7a3c9a3-09ea-4934-8864-6a32cacd98d9

Status

test

Level

medium

Type

Detection

Created

Tue Jul 20

Modified

Mon Dec 18

Author

Nasreddine Bencherchali (Nextron Systems), François Hubaut

Path

rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml

Raw Tags

attack.collectionattack.t1074.001