Home/Sigma rules
Sigma

Sigma detection rules

4 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

4 shown of 4
medium
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
status test author Nasreddine Bencherchali (Nextron Systems), frack113 id 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
view Sigma YAML 
title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
related:
    - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
      type: similar
    - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
      type: similar
    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
      type: similar
status: test
description: |
    Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2022-10-09
tags:
    - attack.collection
    - attack.t1074.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'
            - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
            - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
status test author Nasreddine Bencherchali (Nextron Systems), frack113 id daf7eb81-35fd-410d-9d7a-657837e602bb
view Sigma YAML 
title: Zip A Folder With PowerShell For Staging In Temp  - PowerShell Module
id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
related:
    - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
      type: similar
    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
      type: similar
    - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
      type: similar
status: test
description: |
    Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2023-12-18
tags:
    - attack.collection
    - attack.t1074.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        ContextInfo|contains|all:
            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'
            - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
            - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Zip A Folder With PowerShell For Staging In Temp - PowerShell
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
status test author Nasreddine Bencherchali (Nextron Systems), frack113 id 71ff406e-b633-4989-96ec-bc49d825a412
view Sigma YAML 
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell
id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
related:
    - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
      type: similar
    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
      type: similar
    - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
      type: similar
status: test
description: |
    Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2023-12-18
tags:
    - attack.collection
    - attack.t1074.001
logsource:
    product: windows
    service: powershell-classic
detection:
    selection:
        Data|contains:
            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'
            - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
            - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
status test author Nasreddine Bencherchali (Nextron Systems), frack113 id b7a3c9a3-09ea-4934-8864-6a32cacd98d9
view Sigma YAML 
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
related:
    - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
      type: similar
    - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
      type: similar
    - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
      type: similar
status: test
description: |
    Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2023-12-18
tags:
    - attack.collection
    - attack.t1074.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'
            - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
            - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
    condition: selection
falsepositives:
    - Unknown
level: medium
Showing 1-4 of 4
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin