Title:Password Protected ZIP File Opened Status:test Description:Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. References: -https://twitter.com/sbousseaden/status/1523383197513379841 Author: Florian Roth (Nextron Systems) Date: 2022-05-09 modified:None Tags:
-'attack.defense-evasion'
-'attack.t1027'
Logsource:
product: windows
service: security
Detection: selection: EventID:
'5379' TargetName|contains:
'Microsoft_Windows_Shell_ZipFolder:filename' filter: TargetName|contains:
'\Temporary Internet Files\Content.Outlook' condition:selection and not filter Falsepositives:
-Legitimate used of encrypted ZIP files Level:medium
