SigmaHQ/rules/windows/powershell/powershell_data_compressed.yml

28 lines
908 B
YAML
Raw Normal View History

2019-12-09 16:24:10 +00:00
title: Data Compressed - Powershell
2019-11-12 22:12:27 +00:00
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
status: experimental
2020-06-16 20:46:08 +00:00
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
logsource:
product: windows
service: powershell
definition: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104
2020-06-16 20:46:08 +00:00
keywords|contains|all:
- '-Recurse'
- '|'
- 'Compress-Archive'
condition: selection
falsepositives:
- highly likely if archive ops are done via PS
level: low
tags:
- attack.exfiltration
2020-06-16 20:46:08 +00:00
- attack.t1560
- attack.t1002 # an old one