Suspicious ZipExec Execution
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND (COMMANDLINE contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" AND COMMANDLINE contains ".zip" AND COMMANDLINE contains "/pass:" AND COMMANDLINE contains "/user:") OR (COMMANDLINE contains "/delete" AND COMMANDLINE contains "Microsoft_Windows_Shell_ZipFolder:filename=" AND COMMANDLINE contains ".zip")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows
Author
frack113
