security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0889a1fc3b1a950fab00a5334f1fef3cd8ba0cb2
blue-team-tools/rules/windows/process_creation/win_pc_run_from_zip.yml
T
frack113 cb938c14df Windows Redcannary
2022-01-15 17:04:03 +01:00

21 lines
596 B
YAML
Raw Blame History

title: Run from a Zip File
id: 1a70042a-6622-4a2b-8958-267625349abf
status: experimental
description: Payloads may be compressed, archived, or encrypted in order to avoid detection
author: frack113
date: 2021/12/26
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '.zip\'
condition: selection
falsepositives:
- unknown
level: medium
tags:
- attack.impact
- attack.t1485
Reference in New Issue View Git Blame Copy Permalink