sigmamediumHunting

Password Protected ZIP File Opened

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

MITRE ATT&CK

T1027

defense-evasion

Detection Query

selection:
  EventID: 5379
  TargetName|contains: Microsoft_Windows_Shell_ZipFolder:filename
filter:
  TargetName|contains: \Temporary Internet Files\Content.Outlook
condition: selection and not filter

Author

Florian Roth (Nextron Systems)

Created

2022-05-09

Data Sources

windowssecurity

Platforms

windows

References

https://twitter.com/sbousseaden/status/1523383197513379841

Tags

attack.defense-evasionattack.t1027

Raw Content

title: Password Protected ZIP File Opened
id: 00ba9da1-b510-4f6b-b258-8d338836180f
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
    - https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
    - attack.defense-evasion
    - attack.t1027
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5379
        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
    filter:  # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4
        TargetName|contains: '\Temporary Internet Files\Content.Outlook'
    condition: selection and not filter
falsepositives:
    - Legitimate used of encrypted ZIP files
level: medium