Detection rules › Sigma
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1074.001 Data Staged: Local Data Staging |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PowerShell | 4103 | Payload Context: ContextInfo User Data: UserData. |
Stages and Predicates
Stage 1: selection
ContextInfo|contains: 'Compress-Archive -Path*-DestinationPath $env:TEMP'
ContextInfo|contains: 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
ContextInfo|contains: 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ContextInfo | match |
|