IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
PowerShell Script with Archive Compression Capabilities
editPowerShell Script with Archive Compression Capabilities
editIdentifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-windows.powershell*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Collection
- Data Source: PowerShell Logs
- Rule Type: BBR
Version: 208
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editSetup
The PowerShell Script Block Logging logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
Rule query
editevent.category:process and host.os.type:windows and ( powershell.file.script_block_text : ( "IO.Compression.ZipFile" or "IO.Compression.ZipArchive" or "ZipFile.CreateFromDirectory" or "IO.Compression.BrotliStream" or "IO.Compression.DeflateStream" or "IO.Compression.GZipStream" or "IO.Compression.ZLibStream" ) and powershell.file.script_block_text : ( "CompressionLevel" or "CompressionMode" or "ZipArchiveMode" ) or powershell.file.script_block_text : "Compress-Archive" ) and not powershell.file.script_block_text : ( "Compress-Archive -Path 'C:\ProgramData\Lenovo\Udc\diagnostics\latest" or ("Copyright: (c) 2017, Ansible Project" and "Ansible.ModuleUtils.Backup") ) and not file.directory : "C:\Program Files\Microsoft Dependency Agent\plugins\lib"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
-
Technique:
- Name: Archive Collected Data
- ID: T1560
- Reference URL: https://attack.mitre.org/techniques/T1560/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/