LoFP / legitimate used of encrypted zip files

Techniques

• t1027
• t1036
• t1105
• t1566
• t1566.001

Sample rules

Password Protected ZIP File Opened (Email Attachment)

• source: sigma
• technicques:
  • t1027
  • t1566
  • t1566.001

Description

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Detection logic

condition: selection
selection:
  EventID: 5379
  TargetName|contains|all:
  - Microsoft_Windows_Shell_ZipFolder:filename
  - \Temporary Internet Files\Content.Outlook

Password Protected ZIP File Opened (Suspicious Filenames)

• source: sigma
• technicques:
  • t1027
  • t1036
  • t1105

Description

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Detection logic

condition: selection and selection_filename
selection:
  EventID: 5379
  TargetName|contains: Microsoft_Windows_Shell_ZipFolder:filename
selection_filename:
  TargetName|contains:
  - invoice
  - new order
  - rechnung
  - factura
  - delivery
  - purchase
  - order
  - payment

Password Protected ZIP File Opened

• source: sigma
• technicques:
  • t1027

Description

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Detection logic

condition: selection and not filter
filter:
  TargetName|contains: \Temporary Internet Files\Content.Outlook
selection:
  EventID: 5379
  TargetName|contains: Microsoft_Windows_Shell_ZipFolder:filename