← Back to SOC feed Coverage →

Compress Data and Lock With Password for Exfiltration With WINZIP

sigma MEDIUM SigmaHQ
T1560.001
imProcessCreate
backdoor
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-23T23:00:00Z · Confidence: medium

Hunt Hypothesis

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Detection Rule

Sigma (Original)

title: Compress Data and Lock With Password for Exfiltration With WINZIP
id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_winzip:
        CommandLine|contains:
            - 'winzip.exe'
            - 'winzip64.exe'
    selection_password:
        CommandLine|contains: '-s"'
    selection_other:
        CommandLine|contains:
            - ' -min '
            - ' -a '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "winzip.exe" or TargetProcessCommandLine contains "winzip64.exe") and TargetProcessCommandLine contains "-s\"" and (TargetProcessCommandLine contains " -min " or TargetProcessCommandLine contains " -a ")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml