sigmahighHunting

Password Protected ZIP File Opened (Suspicious Filenames)

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

MITRE ATT&CK

T1027 T1105 T1036

command-and-controldefense-evasion

Detection Query

selection:
  EventID: 5379
  TargetName|contains: Microsoft_Windows_Shell_ZipFolder:filename
selection_filename:
  TargetName|contains:
    - invoice
    - new order
    - rechnung
    - factura
    - delivery
    - purchase
    - order
    - payment
condition: selection and selection_filename

Author

Florian Roth (Nextron Systems)

Created

2022-05-09

Data Sources

windowssecurity

Platforms

windows

References

https://twitter.com/sbousseaden/status/1523383197513379841

Tags

attack.command-and-controlattack.defense-evasionattack.t1027attack.t1105attack.t1036

Raw Content

title: Password Protected ZIP File Opened (Suspicious Filenames)
id: 54f0434b-726f-48a1-b2aa-067df14516e4
status: test
description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
references:
    - https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
    - attack.command-and-control
    - attack.defense-evasion
    - attack.t1027
    - attack.t1105
    - attack.t1036
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5379
        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
    selection_filename:
        TargetName|contains:
            - 'invoice'
            - 'new order'
            - 'rechnung'
            - 'factura'
            - 'delivery'
            - 'purchase'
            - 'order'
            - 'payment'
    condition: selection and selection_filename
falsepositives:
    - Legitimate used of encrypted ZIP files
level: high