security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80098113d06750ddb9ab275d7df1049f88d4ea7c
blue-team-tools/rules/windows/builtin/security/win_susp_opened_encrypted_zip.yml
T
Florian Roth 9d87716dfb rule: encrypted ZIP files
2022-05-09 18:03:16 +02:00

22 lines
801 B
YAML
Raw Blame History

title: Password Protected ZIP File Opened
id: 00ba9da1-b510-4f6b-b258-8d338836180f
status: experimental
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
- https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth
date: 2022/05/09
logsource:
product: windows
service: security
detection:
selection:
EventID: 5379
TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
filter: # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4
TargetName|contains: '\Temporary Internet Files\Content.Outlook'
condition: selection and not filter
falsepositives:
- Legitimate used of encrypted ZIP files
level: medium
Reference in New Issue View Git Blame Copy Permalink