Techniques
Sample rules
Compress Data and Lock With Password for Exfiltration With 7-ZIP
- source: sigma
- technicques:
- t1560
- t1560.001
Description
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Detection logic
condition: all of selection_*
selection_action:
CommandLine|contains:
- ' a '
- ' u '
selection_img:
- Description|contains: 7-Zip
- Image|endswith:
- \7z.exe
- \7zr.exe
- \7za.exe
- OriginalFileName:
- 7z.exe
- 7za.exe
selection_password:
CommandLine|contains: ' -p'