Techniques
Sample rules
Password Protected ZIP File Opened (Suspicious Filenames)
- source: sigma
- technicques:
- t1027
- t1036
- t1105
Description
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Detection logic
condition: selection and selection_filename
selection:
EventID: 5379
TargetName|contains: Microsoft_Windows_Shell_ZipFolder:filename
selection_filename:
TargetName|contains:
- invoice
- new order
- rechnung
- factura
- delivery
- purchase
- order
- payment
Password Protected ZIP File Opened (Email Attachment)
- source: sigma
- technicques:
- t1027
- t1566
- t1566.001
Description
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Detection logic
condition: selection
selection:
EventID: 5379
TargetName|contains|all:
- Microsoft_Windows_Shell_ZipFolder:filename
- \Temporary Internet Files\Content.Outlook
Password Protected ZIP File Opened
- source: sigma
- technicques:
- t1027
Description
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Detection logic
condition: selection and not filter
filter:
TargetName|contains: \Temporary Internet Files\Content.Outlook
selection:
EventID: 5379
TargetName|contains: Microsoft_Windows_Shell_ZipFolder:filename