splApache-2.0from splunk/security_content
Windows Archive Collected Data via Powershell
The following analytic detects the use of PowerShell scripts to archive files into a temporary folder. It leverages PowerShell Script Block Logging, specifically monitoring for the `Compress-Archive` command targeting the `Temp` directory. This activity is significant as it may indicate an adversary's attempt to collect and compress data for exfiltration. If confirmed malicious, this behavior could lead to unauthorized data access and exfiltration, posing a severe risk to sensitive information and overall network security.
Quality
51
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_archive_collected_data_via_powershell.yml
`powershell` EventCode=4104 ScriptBlockText = "*Compress-Archive*" ScriptBlockText = "*\\Temp\\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_archive_collected_data_via_powershell_filter`