[metadata] bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows"] maturity = "production" updated_date = "2025/03/20" [rule] author = ["Elastic"] building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Archive Compression Capabilities" risk_score = 21 rule_id = "27071ea3-e806-4697-8abc-e22c92aa4293" setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` Steps to implement the logging policy via registry: ``` reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "query" query = ''' event.category:process and host.os.type:windows and ( powershell.file.script_block_text : ( "IO.Compression.ZipFile" or "IO.Compression.ZipArchive" or "ZipFile.CreateFromDirectory" or "IO.Compression.BrotliStream" or "IO.Compression.DeflateStream" or "IO.Compression.GZipStream" or "IO.Compression.ZLibStream" ) and powershell.file.script_block_text : ( "CompressionLevel" or "CompressionMode" or "ZipArchiveMode" ) or powershell.file.script_block_text : "Compress-Archive" ) and not powershell.file.script_block_text : ( "Compress-Archive -Path 'C:\ProgramData\Lenovo\Udc\diagnostics\latest" or ("Copyright: (c) 2017, Ansible Project" and "Ansible.ModuleUtils.Backup") ) and not file.directory : ( "C:\Program Files\Microsoft Dependency Agent\plugins\lib" or "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" or "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads" ) ''' [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Expand-Archive.ps1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Compress-Archive.ps1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"