sigmalowHunting

Compress-Archive Cmdlet Execution

Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

MITRE ATT&CK

T1560

exfiltrationcollection

Detection Query

selection:
  ScriptBlockText|contains: Compress-Archive
condition: selection

Author

Timur Zinniatullin, oscd.community

Created

2019-10-21

Data Sources

windowsps_script

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md

Tags

attack.exfiltrationattack.collectionattack.t1560detection.threat-hunting

Raw Content

title: Compress-Archive Cmdlet Execution
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
status: test
description: |
    Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files.
    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-12-15
tags:
    - attack.exfiltration
    - attack.collection
    - attack.t1560
    - detection.threat-hunting
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: 'Compress-Archive'
    condition: selection
falsepositives:
    - Likely
level: low