rules/windows/sysmon/sysmon_detect_Compressed_Process.yml

title: Detect compress process using for data exfiltration
description: Detects data compressing behaviour
author: Lep - VuNX
date: 2019/7/10
tags:
  - attack.exfiltration
  - attack.t1002
logsource:
  category: process_creation
  product: windows
detection:
    selection1:
        CommandLine:
            - '*Compress-Archive*'
            - 'rar*'
            - 'zip*'
            - 'gzip*'
    selection2:
        Image: C:\Users\Public\7za.exe
    condition: selection1 or selection2
falsepositives:
    - Real compressed
level: critical
rules for APT32 2019-08-28 10:12:01 +07:00			`title: Detect compress process using for data exfiltration`
			`description: Detects data compressing behaviour`
			`author: Lep - VuNX`
			`date: 2019/7/10`
			`tags:`
process_creation update 2019-08-28 17:13:54 +07:00			`- attack.exfiltration`
			`- attack.t1002`
rules for APT32 2019-08-28 10:12:01 +07:00			`logsource:`
process_creation update 2019-08-28 17:13:54 +07:00			`category: process_creation`
			`product: windows`
rules for APT32 2019-08-28 10:12:01 +07:00			`detection:`
			`selection1:`
			`CommandLine:`
			`- 'Compress-Archive'`
			`- 'rar*'`
			`- 'zip*'`
			`- 'gzip*'`
			`selection2:`
			`Image: C:\Users\Public\7za.exe`
			`condition: selection1 or selection2`
			`falsepositives:`
			`- Real compressed`
			`level: critical`